Edit tour

Windows Analysis Report
jk98mGM6JH.exe

Overview

General Information

Sample name:	jk98mGM6JH.exe renamed because original name is a hash value
Original sample name:	736549a437da8dacb4c1d31c33ba75b8.exe
Analysis ID:	1393148
MD5:	736549a437da8dacb4c1d31c33ba75b8
SHA1:	7eb5e89620f4a6de369a9667133cb2ef01d27ed3
SHA256:	6fc1848ea0691845f977875ff74a353cbae23c75011c427720ec37659784860f
Tags:	32exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Yara detected RisePro Stealer

Adds extensions / path to Windows Defender exclusion list (Registry)

Binary is likely a compiled AutoIt script file

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender (deletes autostart)

Disables Windows Defender Tamper protection

Exclude list of file types from scheduled, custom, and real-time scanning

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies Group Policy settings

Modifies windows update settings

PE file contains section with special chars

PE file has nameless sections

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found iframes

Found potential string decryption / allocating functions

HTML body contains low number of good links

HTML body contains password input but no form action

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Windows Defender Exclusions Added - Registry

Sleep loop found (likely to delay execution)

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

jk98mGM6JH.exe (PID: 1832 cmdline: C:\Users\user\Desktop\jk98mGM6JH.exe MD5: 736549A437DA8DACB4C1D31C33BA75B8)

schtasks.exe (PID: 1476 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6484 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PLO4plFr34jobsiEh08j.exe (PID: 1612 cmdline: "C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe" MD5: 791ED44F9B3836A68F79B028EF7C49CB)

chrome.exe (PID: 424 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.youtube.com/ MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7796 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1960,i,11993553605994081514,18162534353999161792,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 3280 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.linkedin.com/login MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7556 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=1972,i,16301593684436752617,2012107364916416146,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7240 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.facebook.com/video MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7284 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1996,i,17726353602255924015,12176223097910466274,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 8044 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.google.com/ MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 8576 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1984,i,8973374208484498469,2501955192980366572,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

msedge.exe (PID: 8780 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 9416 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2092,i,17673521410042216198,2537652209419044310,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 8808 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 9740 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2096,i,12923574770636312838,3728738922740556079,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 9060 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 9984 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=2160,i,17832719417900444124,13861847247960682782,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

chrome.exe (PID: 9136 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 8368 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 9280 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

firefox.exe (PID: 9576 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 9844 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 10112 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

zqdrYwv5fC6zkQ9Tresm.exe (PID: 8588 cmdline: "C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe" MD5: 1C8A50F3E51F6AE258F38752193B1448)

Cr6QVRpzwqhYjtnCxFSW.exe (PID: 10132 cmdline: "C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe" MD5: 880AA312796089DC66459C024727D591)

MPGPH131.exe (PID: 5048 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 736549A437DA8DACB4C1D31C33BA75B8)

MPGPH131.exe (PID: 2328 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 736549A437DA8DACB4C1D31C33BA75B8)

RageMP131.exe (PID: 3968 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 736549A437DA8DACB4C1D31C33BA75B8)

RageMP131.exe (PID: 9716 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 736549A437DA8DACB4C1D31C33BA75B8)

msedge.exe (PID: 9776 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 7344 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2940 --field-trial-handle=2724,i,4482519872048150816,8688360613915830786,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

firefox.exe (PID: 10152 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3504 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7360 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2188 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07a9cf11-a11c-4267-8dc4-740bf294e4fb} 3504 "\\.\pipe\gecko-crash-server-pipe.3504" 25d8896bf10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8756 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3484 -childID 1 -isForBrowser -prefsHandle 3428 -prefMapHandle 3432 -prefsLen 21837 -prefMapSize 238690 -jsInitHandle 1240 -jsInitLen 234236 -parentBuildID 20230927232528 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b753b1f8-541a-487d-8ec8-3be5703ede91} 3504 "\\.\pipe\gecko-crash-server-pipe.3504" 25d99d93310 tab MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7628 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1908 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 10488 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 10956 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\2DNcPleZ9unxLWQic11TF6k.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.3050100739.0000000000391000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000D.00000003.2269427007.00000000050A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000003.2099303367.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000028.00000002.2665861162.0000000000E51000.00000040.00000001.01000000.0000000D.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000022.00000003.2508379808.00000000049D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.2670860055.00000000010CC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000D.00000002.2539923574.0000000001001000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000009.00000003.2159594281.00000000049A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000022.00000002.2670001934.0000000001001000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.2645200426.0000000000611000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000A.00000003.2161145290.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: jk98mGM6JH.exe PID: 1832	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: jk98mGM6JH.exe PID: 1832	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 3968	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 9716	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: Cr6QVRpzwqhYjtnCxFSW.exe PID: 10132	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Click to see the 11 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\jk98mGM6JH.exe, ProcessId: 1832, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Sigma detected: Windows Defender Exclusions Added - Registry

Source: Registry Key set

Author: Christian Burkard (Nextron Systems): Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\jk98mGM6JH.exe, ProcessId: 1832, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{853BCFF5-355A-4137-B729-011A9504EFE0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://185.215.113.46/cost/fu.exe22jBF8	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/fu.exegerta	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/well.exeAppData	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/fu.exek	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/well.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/fu.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/fu.exen	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/plaza.exet	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/well.exenBuil6N	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/plaza.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/niks.exed	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/ladas.exel	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/well.exe6	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/fu.exegertaA	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 42%

Machine Learning detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: jk98mGM6JH.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0062FF60 CryptUnprotectData,CryptUnprotectData,	0_2_0062FF60
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0062FE80 CryptUnprotectData,CryptUnprotectData,	0_2_0062FE80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003AFF60 CryptUnprotectData,CryptUnprotectData,	10_2_003AFF60

Source: https://www.linkedin.com/login	HTTP Parser: Iframe src: https://accounts.google.com/gsi/button?logo_alignment=center&shape=pill&size=large&text=continue_with&theme=undefined&type=undefined&width=302&client_id=990339570472-k6nqn1tpmitg8pui82bfaun3jrpmiuhs.apps.googleusercontent.com&iframe_id=gsi_757710_990935&as=X1V1e0xZ1dm4f1OCWbpjLA&hl=en_US
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjxasiJo00Qiy392-82an10TMIjH5EeE5TP4s04Hw8EX8I8GqTWxbza_RYxlKB5u9-OC0tOEPg&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S101607509%3A1708035626335480&theme=glif	HTTP Parser: Iframe src: https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1812329813&timestamp=1708035730584
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjxasiJo00Qiy392-82an10TMIjH5EeE5TP4s04Hw8EX8I8GqTWxbza_RYxlKB5u9-OC0tOEPg&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S101607509%3A1708035626335480&theme=glif	HTTP Parser: Iframe src: /_/bscframe

Source: https://accounts.google.com/gsi/button?logo_alignment=center&shape=pill&size=large&text=continue_with&theme=undefined&type=undefined&width=302&client_id=990339570472-k6nqn1tpmitg8pui82bfaun3jrpmiuhs.apps.googleusercontent.com&iframe_id=gsi_757710_990935&as=X1V1e0xZ1dm4f1OCWbpjLA&hl=en_US

HTTP Parser: Number of links: 0

Source: https://www.linkedin.com/login	HTTP Parser: <input type="password" .../> found but no <form action="...
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjxasiJo00Qiy392-82an10TMIjH5EeE5TP4s04Hw8EX8I8GqTWxbza_RYxlKB5u9-OC0tOEPg&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S101607509%3A1708035626335480&theme=glif	HTTP Parser: <input type="password" .../> found but no <form action="...

Source: https://www.linkedin.com/login	HTTP Parser: <input type="password" .../> found
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjxasiJo00Qiy392-82an10TMIjH5EeE5TP4s04Hw8EX8I8GqTWxbza_RYxlKB5u9-OC0tOEPg&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S101607509%3A1708035626335480&theme=glif	HTTP Parser: <input type="password" .../> found
Source: https://www.facebook.com/video	HTTP Parser: <input type="password" .../> found

Source: https://accounts.google.com/gsi/button?logo_alignment=center&shape=pill&size=large&text=continue_with&theme=undefined&type=undefined&width=302&client_id=990339570472-k6nqn1tpmitg8pui82bfaun3jrpmiuhs.apps.googleusercontent.com&iframe_id=gsi_757710_990935&as=X1V1e0xZ1dm4f1OCWbpjLA&hl=en_US	HTTP Parser: No favicon
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjxasiJo00Qiy392-82an10TMIjH5EeE5TP4s04Hw8EX8I8GqTWxbza_RYxlKB5u9-OC0tOEPg&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S101607509%3A1708035626335480&theme=glif	HTTP Parser: No favicon

Source: https://www.linkedin.com/login	HTTP Parser: No <meta name="author".. found
Source: https://accounts.google.com/gsi/button?logo_alignment=center&shape=pill&size=large&text=continue_with&theme=undefined&type=undefined&width=302&client_id=990339570472-k6nqn1tpmitg8pui82bfaun3jrpmiuhs.apps.googleusercontent.com&iframe_id=gsi_757710_990935&as=X1V1e0xZ1dm4f1OCWbpjLA&hl=en_US	HTTP Parser: No <meta name="author".. found
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjxasiJo00Qiy392-82an10TMIjH5EeE5TP4s04Hw8EX8I8GqTWxbza_RYxlKB5u9-OC0tOEPg&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S101607509%3A1708035626335480&theme=glif	HTTP Parser: No <meta name="author".. found
Source: https://www.facebook.com/video	HTTP Parser: No <meta name="author".. found
Source: https://www.facebook.com/video	HTTP Parser: No <meta name="author".. found

Source: https://www.linkedin.com/login	HTTP Parser: No <meta name="copyright".. found
Source: https://accounts.google.com/gsi/button?logo_alignment=center&shape=pill&size=large&text=continue_with&theme=undefined&type=undefined&width=302&client_id=990339570472-k6nqn1tpmitg8pui82bfaun3jrpmiuhs.apps.googleusercontent.com&iframe_id=gsi_757710_990935&as=X1V1e0xZ1dm4f1OCWbpjLA&hl=en_US	HTTP Parser: No <meta name="copyright".. found
Source: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjxasiJo00Qiy392-82an10TMIjH5EeE5TP4s04Hw8EX8I8GqTWxbza_RYxlKB5u9-OC0tOEPg&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S101607509%3A1708035626335480&theme=glif	HTTP Parser: No <meta name="copyright".. found
Source: https://www.facebook.com/video	HTTP Parser: No <meta name="copyright".. found
Source: https://www.facebook.com/video	HTTP Parser: No <meta name="copyright".. found

Source: jk98mGM6JH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:

Binary string: E:\offDef\offDef\offDef\obj\Release\offDef.pdb source: zqdrYwv5fC6zkQ9Tresm.exe, 00000019.00000003.2376524029.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, zqdrYwv5fC6zkQ9Tresm.exe, 00000019.00000002.2644817789.0000000000182000.00000040.00000001.01000000.0000000B.sdmp

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{853BCFF5-355A-4137-B729-011A9504EFE0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{853BCFF5-355A-4137-B729-011A9504EFE0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{7A9DF558-D1DA-4A98-9FEA-833CADC1CE86}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{7A9DF558-D1DA-4A98-9FEA-833CADC1CE86}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{58F3DD1F-6B96-4659-9F5C-C3B235BF6A97}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{58F3DD1F-6B96-4659-9F5C-C3B235BF6A97}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe	Jump to behavior

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0061C000 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,__Mtx_unlock,	0_2_0061C000
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006EB3B5 recv,FindFirstFileExW,	0_2_006EB3B5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_0039C000 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,__Mtx_unlock,	10_2_0039C000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_0046B3B5 recv,FindFirstFileExW,	10_2_0046B3B5

Source: firefox.exe

Memory has grown: Private usage: 1MB later: 238MB

Source: Joe Sandbox View	IP Address: 13.107.6.158 13.107.6.158
Source: Joe Sandbox View	IP Address: 185.215.113.46 185.215.113.46
Source: Joe Sandbox View	IP Address: 185.215.113.46 185.215.113.46
Source: Joe Sandbox View	IP Address: 34.117.237.239 34.117.237.239

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

Code function: 0_2_0062DB60 recv,WSAStartup,closesocket,socket,connect,closesocket,

0_2_0062DB60

Source: firefox.exe, 00000021.00000002.2386659460.000001716F390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2386659460.000001716F390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.comoL equals www.youtube.com (Youtube)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2479302326.0000019401710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000025.00000002.2479302326.0000019401710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/videoa equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000002.2400183079.000001CFAD7C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com --attempting-deelevation equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3103140639.0000000005D0F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3106488836.0000000006342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: .www.linkedin.com equals www.linkedin.com (Linkedin)
Source: MPGPH131.exe, 0000000A.00000002.3106488836.0000000006342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: .www.linkedin.comDesktop/`17 equals www.linkedin.com (Linkedin)
Source: MPGPH131.exe, 0000000A.00000002.3106488836.0000000006342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: .www.linkedin.comDesktops/ equals www.linkedin.com (Linkedin)
Source: MPGPH131.exe, 0000000A.00000002.3106488836.0000000006342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: .www.linkedin.comon.txt equals www.linkedin.com (Linkedin)
Source: firefox.exe, 00000021.00000003.2348096158.000001716F3AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 2:o0`0https://www.youtube.com --attempting-deelevationUser equals www.youtube.com (Youtube)
Source: firefox.exe, 00000025.00000003.2385982807.000001940172C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.2386246776.0000019401742000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2479716309.0000019401743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 7n7https://www.facebook.com/video --attempting-deelevationUser equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002A.00000003.2570259682.0000025D9D760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2569951826.0000025D9D793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002A.00000003.2857902611.0000025DA1285000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2570259682.0000025D9D760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2569951826.0000025D9D793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CBE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002A.00000003.2889197168.0000025D9CB20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002A.00000003.3000180526.0000025DA747D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: </script><link rel="preload" href="https://i.ytimg.com/generate_204" as="fetch"><link as="script" rel="preload" href="https://www.youtube.com/s/desktop/bdb59273/jsbin/desktop_polymer.vflset/desktop_polymer.js" nonce="c40KzathyqN9OZzSpiA7sA"><script src="https://www.youtube.com/s/desktop/bdb59273/jsbin/web-animations-next-lite.min.vflset/web-animations-next-lite.min.js" nonce="c40KzathyqN9OZzSpiA7sA"></script><script src="https://www.youtube.com/s/desktop/bdb59273/jsbin/custom-elements-es5-adapter.vflset/c equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000009.00000003.2566880571.0000000005C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2516733304.0000000005D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000025.00000002.2479302326.0000019401710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.facebook.com/video' equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000002.2386659460.000001716F399000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000002.2400183079.000001CFAD7C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com--attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000025.00000002.2479302326.0000019401710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/videoC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default% equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000002.2386659460.000001716F390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.comC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default+L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000002.2400183079.000001CFAD7C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002A.00000003.2565805210.0000025DA2A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: O^partitionKey=%28https%2Cyoutube.com%29,:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3103140639.0000000005D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Device\HarddiskVolume3\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000003.log equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3118921927.0000000007022000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Device\HarddiskVolume3\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\LOCK equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3118921927.0000000007022000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Device\HarddiskVolume3\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\LOCKFt,) equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3118921927.0000000007022000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Device\HarddiskVolume3\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\LOG equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Device\HarddiskVolume3\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001 equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Device\HarddiskVolume3\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-0000011> equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3103140639.0000000005D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Device\HarddiskVolume3\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000003.log equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3103140639.0000000005D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Device\HarddiskVolume3\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000003.log9z equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3103140639.0000000005D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Device\HarddiskVolume3\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000003.logghn){0 equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3102589706.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3120396330.00000000071C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Device\HarddiskVolume3\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\LOCK equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3102589706.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3120396330.00000000071C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Device\HarddiskVolume3\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\LOG equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Device\HarddiskVolume3\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001 equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Device\HarddiskVolume3\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001Set: equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Device\HarddiskVolume3\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001Si equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: about:certerror?e=nssBadCert&u=https%3A//www.youtube.com/&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000003.2516733304.0000000005D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://facebook.com/https://www.facebook.com/videofacebook.com/videoA equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 0000000A.00000003.2516733304.0000000005D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://facebook.com/https://www.facebook.com/videofacebook.com/videoB equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002A.00000003.3013298836.0000025DA333D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002A.00000003.2874737929.0000025D9C496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2570259682.0000025D9D760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2569951826.0000025D9D793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 00000009.00000003.2566880571.0000000005C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3106488836.0000000006342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/video( equals www.facebook.com (Facebook)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/video3 equals www.facebook.com (Facebook)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/videoG equals www.facebook.com (Facebook)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/videoU equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/videob equals www.facebook.com (Facebook)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/videoy equals www.facebook.com (Facebook)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp, PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.linkedin.com/login equals www.linkedin.com (Linkedin)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.linkedin.com/login[p equals www.linkedin.com (Linkedin)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.linkedin.com/login_s equals www.linkedin.com (Linkedin)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp, PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp, PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com! equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3106488836.0000000006342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3106488836.0000000006342000.00000004.00000020.00020000.00000000.sdmp, PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002A.00000003.2877679617.0000025DA5FB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3008882516.0000025DA5FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002A.00000003.2877679617.0000025DA5FB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3008882516.0000025DA5FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000002A.00000003.2877679617.0000025DA5FB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3008882516.0000025DA5FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/Q equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3106488836.0000000006342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/d equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3106488836.0000000006342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ei":{"c: equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/l8uJgji equals www.youtube.com (Youtube)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/y equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000003.2516733304.0000000005D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/https://www.youtube.com/youtube.com equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 0000000A.00000003.2516733304.0000000005D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/https://www.youtube.com/youtube.comQ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000025.00000003.2385982807.000001940172C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2479302326.000001940173A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000003.2409319591.0000019401739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.facebook.com/video --attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000002.2386659460.000001716F399000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.youtube.com --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002A.00000003.3008882516.0000025DA5FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tlsflags0x00000000:www.facebook.com:443^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: vs://www.facebook.com/video equals www.facebook.com (Facebook)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3015579017.0000025DA2F90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3008882516.0000025DA5FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com"P# equals www.facebook.com (Facebook)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.comZPk equals www.linkedin.com (Linkedin)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.comdPa equals www.linkedin.com (Linkedin)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp, PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2559294871.0000025D9D690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comv equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002A.00000003.2565805210.0000025DA2A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xO^partitionKey=%28https%2Cyoutube.com%29,:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xabout:certerror?e=nssBadCert&u=https%3A//www.youtube.com/&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002A.00000003.3008882516.0000025DA5FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xtlsflags0x00000000:www.facebook.com:443^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)

Source: firefox.exe, 0000002A.00000003.2855426882.0000025DA2EF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3017006577.0000025DA2EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.46/cexe
Source: jk98mGM6JH.exe, 00000000.00000002.2670860055.0000000001104000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000002.2761057014.000000000605F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2588693585.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2586382834.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2514029667.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2582587481.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2591400353.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2603704872.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2571175674.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2605609465.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2551332362.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2657858021.000000000066B000.00000004.00000020.00020000.00000000.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/fu.exe
Source: MPGPH131.exe, 0000000A.00000003.2551332362.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/fu.exe(L
Source: RageMP131.exe, 00000022.00000002.2657858021.000000000066B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/fu.exe22jBF8
Source: MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/fu.exegerta
Source: jk98mGM6JH.exe, 00000000.00000002.2670860055.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/fu.exegertaA
Source: RageMP131.exe, 0000000D.00000002.2536747684.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/fu.exek
Source: jk98mGM6JH.exe, 00000000.00000002.2761057014.000000000605F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/fu.exen
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exe
Source: jk98mGM6JH.exe, 00000000.00000002.2670860055.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exel
Source: MPGPH131.exe, 00000009.00000003.2605609465.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2551332362.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3121450909.00000000072D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/niks.exe
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/niks.exeBuild:
Source: MPGPH131.exe, 0000000A.00000003.2551332362.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/niks.exeJm(J
Source: RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/niks.exed
Source: RageMP131.exe, 00000022.00000002.2657858021.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/well.exe
Source: jk98mGM6JH.exe, 00000000.00000002.2761057014.00000000060A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/well.exe6
Source: jk98mGM6JH.exe, 00000000.00000002.2761057014.0000000006083000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/well.exeAppData
Source: MPGPH131.exe, 0000000A.00000002.3121450909.00000000072D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/well.exeX
Source: MPGPH131.exe, 0000000A.00000003.2551332362.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/well.exeb
Source: jk98mGM6JH.exe, 00000000.00000002.2670860055.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/well.exee
Source: jk98mGM6JH.exe, 00000000.00000002.2761057014.00000000060A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/well.exeles
Source: RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/well.exenBuil6N
Source: jk98mGM6JH.exe, 00000000.00000002.2670860055.0000000001104000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000002.2761057014.0000000006083000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2588693585.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2586382834.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2514029667.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2582587481.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2591400353.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2603704872.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2571175674.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2605609465.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2551332362.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3121450909.00000000072D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3120713333.000000000724C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exe
Source: MPGPH131.exe, 0000000A.00000002.3120713333.000000000724C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exeRecorded
Source: MPGPH131.exe, 0000000A.00000003.2551332362.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exet
Source: firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 0000002A.00000003.2874737929.0000025D9C483000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: firefox.exe, 0000002A.00000003.2874737929.0000025D9C483000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: firefox.exe, 0000002A.00000003.3001881155.0000025DA740B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2876283032.0000025DA740B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2889982783.0000025D9B7DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2876283032.0000025DA741D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl0
Source: firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 0000002A.00000003.2567909028.0000025DA1292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2846296858.0000025DA6B72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2857902611.0000025DA1285000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3007802806.0000025DA6B72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2868336724.0000025D9D769000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 0000002A.00000003.2868065030.0000025D9D792000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000002A.00000003.2868065030.0000025D9D792000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2888666753.0000025D9CBED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: zqdrYwv5fC6zkQ9Tresm.exe, 00000019.00000002.2669069049.00000000013A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://json-schema.org/draft-07/schema#-
Source: firefox.exe, 0000002A.00000003.2838482055.0000025DA704D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.o
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org
Source: firefox.exe, 0000002A.00000003.2997069473.0000025D9B62D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2969955150.0000025DA706D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2838482055.0000025DA7071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/
Source: firefox.exe, 0000002A.00000003.2567909028.0000025DA1292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3001881155.0000025DA740B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2785555547.0000025D9827F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2982409537.0000025D98396000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2877038248.0000025D99B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2851446275.0000025DA3327000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3004996804.0000025DA7348000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2789678989.0000025D98B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2790125806.0000025D98BF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2805681316.0000025D9889F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2836960295.0000025D983CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2616425023.0000025D988AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2784587168.0000025D98B34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2684449918.0000025D98282000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2805681316.0000025D988B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2755939146.0000025D9492F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2823879379.0000025D988B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2955573200.0000025D98BE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2857902611.0000025DA1285000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2620749654.0000025DA117D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2670258020.0000025D9492F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: firefox.exe, 0000002A.00000003.2877679617.0000025DA5FB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3008882516.0000025DA5FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/
Source: firefox.exe, 0000002A.00000003.2874737929.0000025D9C483000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: firefox.exe, 0000002A.00000003.2857902611.0000025DA1285000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1c3
Source: firefox.exe, 0000002A.00000003.3001881155.0000025DA740B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2876283032.0000025DA740B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2889982783.0000025D9B7DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2876283032.0000025DA741D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: firefox.exe, 0000002A.00000003.2874737929.0000025D9C483000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.00000000014A1000.00000040.00000001.01000000.0000000D.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000000.2348106157.0000000001743000.00000080.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.00000000014A1000.00000040.00000001.01000000.0000000D.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000000.2348106157.0000000001743000.00000080.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.00000000014A1000.00000040.00000001.01000000.0000000D.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000000.2348106157.0000000001743000.00000080.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: firefox.exe, 0000002A.00000003.2874737929.0000025D9C483000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: firefox.exe, 0000002A.00000003.3001881155.0000025DA740B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2876283032.0000025DA740B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2889982783.0000025D9B7DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2876283032.0000025DA741D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: firefox.exe, 0000002A.00000003.2874737929.0000025D9C483000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: firefox.exe, 0000002A.00000003.2868987909.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: firefox.exe, 0000002A.00000003.2575167409.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 0000002A.00000003.2868987909.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2575167409.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 0000002A.00000003.2576185535.0000025D9AB6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: jk98mGM6JH.exe, 00000000.00000003.2099303367.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000002.2645200426.0000000000611000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000003.2159594281.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3050100739.0000000000391000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2161145290.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2269427007.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2539923574.0000000001001000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000022.00000003.2508379808.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2670001934.0000000001001000.00000040.00000001.01000000.00000007.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2665861162.0000000000E51000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2868987909.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2575167409.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2868987909.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2575167409.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000002A.00000003.2480242544.0000025D98800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2480764925.0000025D98A07000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2482353490.0000025D98A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: jk98mGM6JH.exe, 00000000.00000003.2182856234.0000000006048000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2189976218.0000000006075000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185089579.0000000006061000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185729135.0000000006063000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185578857.0000000006063000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2551384293.0000000005C1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2576867180.0000000005C46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2553718200.0000000005D27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 0000002A.00000003.2856989279.0000025DA12EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2889982783.0000025D9B7DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000002A.00000003.2864408444.0000025DA0F53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 0000002A.00000003.2888666753.0000025D9CBED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: firefox.exe, 0000002A.00000003.2565805210.0000025DA2A32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2566693202.0000025DA286F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2792132402.0000025D995D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: firefox.exe, 0000002A.00000003.2868987909.0000025D9D449000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ATuJsjxfLX6W
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/3
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/C
Source: firefox.exe, 0000002A.00000003.2880089736.0000025DA284E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2862799593.0000025DA1087000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3001881155.0000025DA7405000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://
Source: MPGPH131.exe, 0000000A.00000002.3120615821.0000000007226000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3000180526.0000025DA7482000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2867490495.0000025D9D898000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2874737929.0000025D9C496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2867490495.0000025D9D8BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2889197168.0000025D9CB31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2880089736.0000025DA284E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2862799593.0000025DA1087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%
Source: MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Yoc
Source: firefox.exe, 0000002A.00000003.2862799593.0000025DA1087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/moc.elgoog.stnuocca.
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/pp
Source: firefox.exe, 0000002A.00000003.3017006577.0000025DA2EF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2880089736.0000025DA284E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&follo
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com1
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.comB
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3529684760.0000000000990000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.2443870042.0000020FCB850000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.comC:
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.comP
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.comQ
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.comeo
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.comeo6
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.comi
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.comx
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.comxv
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.comy
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: firefox.exe, 0000002A.00000003.3001881155.0000025DA7405000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: firefox.exe, 0000002A.00000003.2755939146.0000025D9492F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2670258020.0000025D9492F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2781409848.0000025D9492F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2824718699.0000025D9492F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2701524214.0000025D9492F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2808635227.0000025D9492F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1694699#c21
Source: jk98mGM6JH.exe, 00000000.00000003.2182856234.0000000006048000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2189976218.0000000006075000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185089579.0000000006061000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185729135.0000000006063000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185578857.0000000006063000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2551384293.0000000005C1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2576867180.0000000005C46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2553718200.0000000005D27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: jk98mGM6JH.exe, 00000000.00000003.2182856234.0000000006048000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2189976218.0000000006075000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185089579.0000000006061000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185729135.0000000006063000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185578857.0000000006063000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2551384293.0000000005C1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2576867180.0000000005C46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2553718200.0000000005D27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: jk98mGM6JH.exe, 00000000.00000003.2182856234.0000000006048000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2189976218.0000000006075000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185089579.0000000006061000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185729135.0000000006063000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185578857.0000000006063000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2551384293.0000000005C1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2576867180.0000000005C46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2553718200.0000000005D27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 0000002A.00000003.2575885925.0000025D9CBED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 0000002A.00000003.2868987909.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2575167409.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: firefox.exe, 0000002A.00000003.2854870315.0000025DA2F7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: firefox.exe, 0000002A.00000003.2878280004.0000025DA2EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000002A.00000003.3004996804.0000025DA7362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_qebhlk
Source: firefox.exe, 0000002A.00000003.2668225406.0000025D95BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2951582876.0000025D95B83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIEffectiveTLDServi
Source: firefox.exe, 0000002A.00000003.2570259682.0000025D9D760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2480764925.0000025D98A07000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2961467272.0000025DA1156000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2482353490.0000025D98A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: firefox.exe, 0000002A.00000003.2677411475.0000025D99913000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/Z
Source: jk98mGM6JH.exe, 00000000.00000003.2182856234.0000000006048000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2189976218.0000000006075000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185089579.0000000006061000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2551384293.0000000005C1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2576867180.0000000005C46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2553718200.0000000005D27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: jk98mGM6JH.exe, 00000000.00000003.2182856234.0000000006048000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2189976218.0000000006075000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185089579.0000000006061000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2551384293.0000000005C1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2576867180.0000000005C46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2553718200.0000000005D27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: jk98mGM6JH.exe, 00000000.00000003.2182856234.0000000006048000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2189976218.0000000006075000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185089579.0000000006061000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2551384293.0000000005C1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2576867180.0000000005C46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2553718200.0000000005D27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000002A.00000003.2554771171.0000025DA30E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 0000002A.00000003.2564308495.0000025DA2D57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2864530719.0000025DA0F18000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2856459014.0000025DA2D57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2878599347.0000025DA2D57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 0000002A.00000003.2815986209.0000025D99B9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2814873762.0000025D99B48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2557310441.0000025DA70E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 0000002A.00000003.2815986209.0000025D99B9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2814873762.0000025D99B48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2557310441.0000025DA70E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 0000002A.00000003.2856989279.0000025DA12EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2856459014.0000025DA2D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2878599347.0000025DA2D50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com
Source: firefox.exe, 0000002A.00000003.2888666753.0000025D9CBED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/
Source: firefox.exe, 0000002A.00000003.3004996804.0000025DA7362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/changeset?_expe
Source: firefox.exe, 0000002A.00000003.2564308495.0000025DA2D57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2864530719.0000025DA0F18000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2856459014.0000025DA2D57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2878599347.0000025DA2D57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3013298836.0000025DA3316000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2864530719.0000025DA0F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 0000002A.00000003.3013298836.0000025DA3316000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2864530719.0000025DA0F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 0000002A.00000003.2864530719.0000025DA0F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 0000002A.00000003.3013298836.0000025DA3316000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 0000002A.00000003.2864530719.0000025DA0F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 0000002A.00000003.3013298836.0000025DA3316000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 0000002A.00000003.2864530719.0000025DA0F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 0000002A.00000003.2864530719.0000025DA0F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 0000002A.00000003.2864530719.0000025DA0F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 0000002A.00000003.2620749654.0000025DA117D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2591997474.0000025DA116F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 0000002A.00000003.2620749654.0000025DA117D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2591997474.0000025DA116F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 0000002A.00000003.2480242544.0000025D98800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2480764925.0000025D98A07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 0000002A.00000003.2805681316.0000025D988DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/uuidjs/uuid#getrandomvalues-not-supported
Source: firefox.exe, 0000002A.00000003.2864530719.0000025DA0F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 0000002A.00000003.2575167409.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: firefox.exe, 0000002A.00000003.2880089736.0000025DA284E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: firefox.exe, 0000002A.00000003.3000180526.0000025DA747D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://i.ytimg.com/generate_204
Source: firefox.exe, 0000002A.00000003.2805681316.0000025D988B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2808309150.0000025D988B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ib.absa.co.za/
Source: firefox.exe, 0000002A.00000003.2865926671.0000025D9DB5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://identity.mozilla.com/apps/oldsyncS
Source: firefox.exe, 0000002A.00000003.2865926671.0000025D9DB5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://identity.mozilla.com/cmd/H
Source: firefox.exe, 0000002A.00000003.2865926671.0000025D9DB5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://identity.mozilla.com/cmd/HCX
Source: firefox.exe, 0000002A.00000003.2865926671.0000025D9DB5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://identity.mozilla.com/ids/ecosystem_telemetryU
Source: firefox.exe, 0000002A.00000003.2865926671.0000025D9DB5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://identity.mozilla.com/ids/ecosystem_telemetryUFj
Source: firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: firefox.exe, 0000002A.00000003.3011163448.0000025DA336F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 0000002A.00000003.2856459014.0000025DA2D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2564308495.0000025DA2D57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 0000002A.00000003.3000180526.0000025DA7482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/events/1/9a79d70f-85b2-4e0d-986e-5df43
Source: firefox.exe, 0000002A.00000003.2864530719.0000025DA0F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000C8F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2657858021.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2657858021.000000000066B000.00000004.00000020.00020000.00000000.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000077E000.00000004.00000020.00020000.00000000.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.0000000000767000.00000004.00000020.00020000.00000000.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.0000000000773000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: jk98mGM6JH.exe, 00000000.00000002.2670860055.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2514029667.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2571175674.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2588693585.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2591400353.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2605609465.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2582587481.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2603704872.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2586382834.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2551332362.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2657858021.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.0000000000773000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: RageMP131.exe, 0000000D.00000002.2536747684.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/h
Source: jk98mGM6JH.exe, 00000000.00000003.2099303367.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000002.2645200426.0000000000611000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000003.2159594281.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3050100739.0000000000391000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2161145290.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2269427007.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2539923574.0000000001001000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000022.00000003.2508379808.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2670001934.0000000001001000.00000040.00000001.01000000.00000007.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2665861162.0000000000E51000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/o?iz
Source: RageMP131.exe, 00000022.00000002.2657858021.000000000066B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/t8h
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.222
Source: RageMP131.exe, 0000000D.00000002.2536747684.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.222A
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.0000000000773000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.222D
Source: RageMP131.exe, 0000000D.00000002.2536747684.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.222I$
Source: jk98mGM6JH.exe, 00000000.00000002.2670860055.000000000105E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2514029667.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2571175674.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2588693585.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2591400353.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2605609465.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2582587481.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2603704872.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2586382834.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2551332362.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.0000000000773000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.227.222
Source: RageMP131.exe, 00000022.00000002.2657858021.00000000006C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.227.222lp
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://json-schema.org/draft/2019-09/schema.
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://json-schema.org/draft/2019-09/schema./
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://json-schema.org/draft/2020-12/schema/
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://json-schema.org/draft/2020-12/schema/=
Source: firefox.exe, 0000002A.00000003.2889197168.0000025D9CB20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 0000002A.00000003.2889982783.0000025D9B7DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 0000002A.00000003.2844586974.0000025DA6B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mitmdetection.services.mozilla.com
Source: firefox.exe, 0000002A.00000003.2868065030.0000025D9D7D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 0000002A.00000003.2874737929.0000025D9C483000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: firefox.exe, 0000002A.00000003.2864530719.0000025DA0F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 0000002A.00000003.2855426882.0000025DA2EF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3017006577.0000025DA2EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2&
Source: firefox.exe, 0000002A.00000003.2575167409.0000025D9D449000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2868987909.0000025D9D449000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 0000002A.00000003.2855426882.0000025DA2EF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3017006577.0000025DA2EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
Source: firefox.exe, 0000002A.00000003.2855426882.0000025DA2EF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3017006577.0000025DA2EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: firefox.exe, 0000002A.00000003.2480764925.0000025D98A07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 0000002A.00000003.2668225406.0000025D95BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2951582876.0000025D95B83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152
Source: firefox.exe, 0000002A.00000003.2878280004.0000025DA2EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon
Source: firefox.exe, 0000002A.00000003.3017006577.0000025DA2EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=default-theme%40mozilla.org%2Caddons-
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/
Source: firefox.exe, 0000002A.00000003.2575167409.0000025D9D449000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 0000002A.00000003.2575167409.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 0000002A.00000003.2575167409.0000025D9D449000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 0000002A.00000003.2574299512.0000025DA12C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2857534525.0000025DA12D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 0000002A.00000003.2564308495.0000025DA2D57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2864530719.0000025DA0F18000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2856459014.0000025DA2D57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2878599347.0000025DA2D57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 0000002A.00000003.2864530719.0000025DA0F18000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2864408444.0000025DA0F53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 0000002A.00000003.3001881155.0000025DA7405000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: firefox.exe, 0000002A.00000003.2846608781.0000025DA5F68000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2877679617.0000025DA5F6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2868987909.0000025D9D449000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3008882516.0000025DA5F6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3015579017.0000025DA2F7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2854870315.0000025DA2F7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: firefox.exe, 0000002A.00000003.2862799593.0000025DA1087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 0000002A.00000003.2873842339.0000025D9CAFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
Source: firefox.exe, 0000002A.00000003.2565805210.0000025DA2AA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: jk98mGM6JH.exe, 00000000.00000002.2670860055.00000000010CC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2657858021.000000000066B000.00000004.00000020.00020000.00000000.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 0000000D.00000002.2536747684.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT2
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTMI
Source: RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000077E000.00000004.00000020.00020000.00000000.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: jk98mGM6JH.exe, 00000000.00000002.2670860055.0000000001104000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot&
Source: MPGPH131.exe, 0000000A.00000003.2551332362.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot:d1
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botW
Source: RageMP131.exe, 0000000D.00000002.2536747684.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botuZ
Source: RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/riseprom
Source: firefox.exe, 0000002A.00000003.2569951826.0000025D9D793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: firefox.exe, 0000002A.00000003.2864530719.0000025DA0F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: firefox.exe, 0000002A.00000003.2569951826.0000025D9D793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: firefox.exe, 0000002A.00000003.2480242544.0000025D98800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2857684648.0000025DA12A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2480764925.0000025D98A07000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2961467272.0000025DA1156000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2482353490.0000025D98A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2489554800.0000025D94EBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 0000002A.00000003.2575167409.0000025D9D449000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: jk98mGM6JH.exe, 00000000.00000003.2182856234.0000000006048000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2189976218.0000000006075000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185089579.0000000006061000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185729135.0000000006063000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185578857.0000000006063000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2551384293.0000000005C1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2576867180.0000000005C46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2553718200.0000000005D27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: firefox.exe, 0000002A.00000003.3001881155.0000025DA7405000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: firefox.exe, 0000002A.00000003.3001881155.0000025DA7405000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: firefox.exe, 0000002A.00000003.2533774985.0000025DA11BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2540341700.0000025DA11DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 0000002A.00000003.2480242544.0000025D98800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2480764925.0000025D98A07000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2482353490.0000025D98A4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: jk98mGM6JH.exe, 00000000.00000003.2182856234.0000000006048000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2189976218.0000000006075000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185089579.0000000006061000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2551384293.0000000005C1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2576867180.0000000005C46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2553718200.0000000005D27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 0000002A.00000003.2569951826.0000025D9D793000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2961467272.0000025DA1156000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2482353490.0000025D98A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2489554800.0000025D94EBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 0000002A.00000003.2789976360.0000025D98B7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 0000002A.00000003.3001881155.0000025DA7405000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: firefox.exe, 0000002A.00000003.3001881155.0000025DA7405000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp, PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.linkedin.com/login
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.linkedin.com/login_s
Source: firefox.exe, 0000002A.00000003.2883620557.0000025D9D453000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2870621451.0000025D9D42F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 0000002A.00000003.2868987909.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2575167409.0000025D9D447000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/
Source: firefox.exe, 0000002A.00000003.2862799593.0000025DA1087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: firefox.exe, 0000002A.00000003.2815986209.0000025D99B9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2814873762.0000025D99B48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2557310441.0000025DA70E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: firefox.exe, 0000002A.00000003.2862799593.0000025DA1087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: firefox.exe, 0000002A.00000003.2565805210.0000025DA2AA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: firefox.exe, 0000002A.00000003.2874498443.0000025D9C4A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 0000002A.00000003.2575885925.0000025D9CBED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 0000002A.00000003.2838482055.0000025DA704D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sling.com/
Source: firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: firefox.exe, 00000029.00000002.2400183079.000001CFAD7C0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2559294871.0000025D9D690000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2578860426.0000025D9D690000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2625854245.0000025D9D690000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2671231461.0000025D9D682000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2676333857.0000025D9D69E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2662734500.0000025D9D682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 00000029.00000002.2400183079.000001CFAD7C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com--attempting-deelevation
Source: firefox.exe, 0000002A.00000003.2569951826.0000025D9D793000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2806719806.0000025D995D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/Q
Source: MPGPH131.exe, 0000000A.00000002.3106488836.0000000006342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/d
Source: MPGPH131.exe, 0000000A.00000002.3106488836.0000000006342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ei
Source: MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/l8uJgji
Source: firefox.exe, 0000002A.00000003.3000180526.0000025DA747D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/desktop/bdb59273/jsbin/custom-elements-es5-adapter.vflset/c
Source: firefox.exe, 0000002A.00000003.3000180526.0000025DA747D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/desktop/bdb59273/jsbin/desktop_polymer.vflset/desktop_polymer.js
Source: firefox.exe, 0000002A.00000003.3000180526.0000025DA747D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/desktop/bdb59273/jsbin/web-animations-next-lite.min.vflset/web-animations-
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/y
Source: firefox.exe, 00000021.00000002.2386659460.000001716F390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.comC:
Source: firefox.exe, 00000021.00000002.2386659460.000001716F390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.comoL
Source: MPGPH131.exe, 00000009.00000003.2566880571.0000000005C05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2516733304.0000000005D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/https://www.youtube.com/youtube.com
Source: MPGPH131.exe, 0000000A.00000003.2516733304.0000000005D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/https://www.youtube.com/youtube.comQ

System Summary

Binary is likely a compiled AutoIt script file

Source: jk98mGM6JH.exe, 00000000.00000003.2522548719.0000000006A2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b656faa8-2
Source: jk98mGM6JH.exe, 00000000.00000003.2522548719.0000000006A2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4c03634b-e
Source: MPGPH131.exe, 0000000A.00000003.2805785713.00000000084B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fe3ed8d3-7
Source: MPGPH131.exe, 0000000A.00000003.2805785713.00000000084B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_093bed90-7
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3533826611.0000000000CC2000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a491f479-0
Source: PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3533826611.0000000000CC2000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b1f71927-3

PE file contains section with special chars

Source: jk98mGM6JH.exe	Static PE information: section name:
Source: jk98mGM6JH.exe	Static PE information: section name: .idata
Source: jk98mGM6JH.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: ladas[1].exe.0.dr	Static PE information: section name:
Source: ladas[1].exe.0.dr	Static PE information: section name: .idata
Source: ladas[1].exe.0.dr	Static PE information: section name:
Source: b2H5rX9tWHjbJEBjMEvH.exe.0.dr	Static PE information: section name:
Source: b2H5rX9tWHjbJEBjMEvH.exe.0.dr	Static PE information: section name: .idata
Source: b2H5rX9tWHjbJEBjMEvH.exe.0.dr	Static PE information: section name:
Source: niks[1].exe.0.dr	Static PE information: section name:
Source: niks[1].exe.0.dr	Static PE information: section name: .idata
Source: niks[1].exe.0.dr	Static PE information: section name:
Source: zqdrYwv5fC6zkQ9Tresm.exe.0.dr	Static PE information: section name:
Source: zqdrYwv5fC6zkQ9Tresm.exe.0.dr	Static PE information: section name: .idata
Source: zqdrYwv5fC6zkQ9Tresm.exe.0.dr	Static PE information: section name:

PE file has nameless sections

Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: section name:
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: section name:
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: section name:
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: section name:
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: section name:
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: section name:

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_0039A400 RtlAllocateHeap,NtQuerySystemInformation,HeapFree,RtlFreeHeap,RtlAllocateHeap,NtQuerySystemInformation,HeapFree,		10_2_0039A400
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_0039A720 NtDuplicateObject,CreateThread,RtlUnicodeStringToAnsiString,TerminateThread,		10_2_0039A720

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

File created: C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Jump to behavior

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00663850	0_2_00663850
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00640830	0_2_00640830
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0061F000	0_2_0061F000
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006EA800	0_2_006EA800
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0066D0C0	0_2_0066D0C0
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00644880	0_2_00644880
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006521E0	0_2_006521E0
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006651F0	0_2_006651F0
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00668220	0_2_00668220
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00635A30	0_2_00635A30
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0063BA00	0_2_0063BA00
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006502F0	0_2_006502F0
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00663290	0_2_00663290
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00621370	0_2_00621370
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0065DB00	0_2_0065DB00
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00648C20	0_2_00648C20
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006A44E0	0_2_006A44E0
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00620530	0_2_00620530
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0064D530	0_2_0064D530
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00646530	0_2_00646530
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00638510	0_2_00638510
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006475F0	0_2_006475F0
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00657DC0	0_2_00657DC0
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006F95DD	0_2_006F95DD
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0063DE10	0_2_0063DE10
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006346D0	0_2_006346D0
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0064A690	0_2_0064A690
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00640F50	0_2_00640F50
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00630720	0_2_00630720
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0063A700	0_2_0063A700
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00651FA0	0_2_00651FA0
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00659040	0_2_00659040
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00612050	0_2_00612050
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00691940	0_2_00691940
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0062A100	0_2_0062A100
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006F991F	0_2_006F991F
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0070D1E1	0_2_0070D1E1
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006AD1A0	0_2_006AD1A0
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00640260	0_2_00640260
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006A2250	0_2_006A2250
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006122C0	0_2_006122C0
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0061AB50	0_2_0061AB50
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0069BBB0	0_2_0069BBB0
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00694C20	0_2_00694C20
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0069D420	0_2_0069D420
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0068F410	0_2_0068F410
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0066A480	0_2_0066A480
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0069DD60	0_2_0069DD60
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00690EC0	0_2_00690EC0
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006F3ED8	0_2_006F3ED8
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006F0750	0_2_006F0750
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0061A720	0_2_0061A720
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00680790	0_2_00680790
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003C0830	10_2_003C0830
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_0046A800	10_2_0046A800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003C4880	10_2_003C4880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003B5A30	10_2_003B5A30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003BBA00	10_2_003BBA00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003E3290	10_2_003E3290
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003D02F0	10_2_003D02F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003DDB00	10_2_003DDB00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_0039AB50	10_2_0039AB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003C8C20	10_2_003C8C20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_004244E0	10_2_004244E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003C6530	10_2_003C6530
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003B8510	10_2_003B8510
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003C75F0	10_2_003C75F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003BDE10	10_2_003BDE10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003CA690	10_2_003CA690
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003B46D0	10_2_003B46D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_0039A720	10_2_0039A720
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003B0720	10_2_003B0720
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003BA700	10_2_003BA700
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003C0F50	10_2_003C0F50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00392050	10_2_00392050
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_004020B0	10_2_004020B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00411940	10_2_00411940
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003AA100	10_2_003AA100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_0047991F	10_2_0047991F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_0042D1A0	10_2_0042D1A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00422250	10_2_00422250
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003C0260	10_2_003C0260
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003922C0	10_2_003922C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_0041BBB0	10_2_0041BBB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_0040F410	10_2_0040F410
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00414C20	10_2_00414C20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_0041D420	10_2_0041D420
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_0041DD60	10_2_0041DD60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00410EC0	10_2_00410EC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00473ED8	10_2_00473ED8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_004006F0	10_2_004006F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00470750	10_2_00470750

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: String function: 00679BB0 appears 37 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 003F9BB0 appears 32 times

Source: ladas[1].exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: b2H5rX9tWHjbJEBjMEvH.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: jk98mGM6JH.exe, 00000000.00000002.2722116251.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs jk98mGM6JH.exe
Source: jk98mGM6JH.exe, 00000000.00000003.2133045182.00000000053D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs jk98mGM6JH.exe
Source: jk98mGM6JH.exe, 00000000.00000002.2655786692.0000000000747000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs jk98mGM6JH.exe

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: dssec.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpedit.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dssec.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpedit.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dssec.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpedit.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: activeds.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dssec.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dsuiext.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: framedynos.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: adsldpc.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: authz.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dsrole.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: logoncli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntdsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: mlang.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpedit.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: activeds.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dssec.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dsuiext.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: framedynos.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: adsldpc.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: authz.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dsrole.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: logoncli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntdsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Section loaded: kernel.appcore.dll

Source: jk98mGM6JH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: jk98mGM6JH.exe	Static PE information: Section: ZLIB complexity 0.9993478201486014
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9993478201486014
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9993478201486014
Source: ladas[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9999777275219298
Source: b2H5rX9tWHjbJEBjMEvH.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9999777275219298
Source: niks[1].exe.0.dr	Static PE information: Section: cxfojuyk ZLIB complexity 0.9946840882266155
Source: zqdrYwv5fC6zkQ9Tresm.exe.0.dr	Static PE information: Section: cxfojuyk ZLIB complexity 0.9946840882266155
Source: plaza[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.999699193329718
Source: plaza[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9967268318965518
Source: plaza[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9948046875
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: Section: ZLIB complexity 0.999699193329718
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9967268318965518
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9948046875

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@173/969@0/90

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Code function: 10_2_0039AB50 CreateToolhelp32Snapshot,

10_2_0039AB50

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2012:120:WilError_03

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

File read: C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Jump to behavior

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000002A.00000003.3004996804.0000025DA7348000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2882500850.0000025D9DB9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: jk98mGM6JH.exe, 00000000.00000003.2099303367.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000002.2645200426.0000000000611000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000003.2159594281.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3050100739.0000000000391000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2161145290.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2269427007.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2539923574.0000000001001000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000022.00000003.2508379808.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2670001934.0000000001001000.00000040.00000001.01000000.00000007.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2665861162.0000000000E51000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: firefox.exe, 0000002A.00000003.2882500850.0000025D9DB9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000002A.00000003.2882500850.0000025D9DB9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: jk98mGM6JH.exe, 00000000.00000003.2099303367.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000002.2645200426.0000000000611000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000003.2159594281.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3050100739.0000000000391000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2161145290.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2269427007.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2539923574.0000000001001000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000022.00000003.2508379808.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2670001934.0000000001001000.00000040.00000001.01000000.00000007.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2665861162.0000000000E51000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: firefox.exe, 0000002A.00000003.2882500850.0000025D9DB9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000002A.00000003.2882500850.0000025D9DB9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000002A.00000003.2882500850.0000025D9DB9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000002A.00000003.2882500850.0000025D9DB9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: jk98mGM6JH.exe, 00000000.00000003.2181536400.0000000001145000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2181813757.000000000114D000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2181598278.000000000114B000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2192520723.0000000001143000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2192630785.0000000001145000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2181536400.0000000001149000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2509891919.0000000005C14000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2512884043.0000000005C24000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2514881246.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2502164564.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: firefox.exe, 0000002A.00000003.2882500850.0000025D9DB9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000002A.00000003.2882500850.0000025D9DB9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: jk98mGM6JH.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

File read: C:\Users\user\Desktop\jk98mGM6JH.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jk98mGM6JH.exe C:\Users\user\Desktop\jk98mGM6JH.exe
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe "C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe"
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.youtube.com/
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.linkedin.com/login
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.facebook.com/video
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=1972,i,16301593684436752617,2012107364916416146,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1960,i,11993553605994081514,18162534353999161792,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.google.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1996,i,17726353602255924015,12176223097910466274,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1984,i,8973374208484498469,2501955192980366572,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe "C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe"
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2092,i,17673521410042216198,2537652209419044310,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2096,i,12923574770636312838,3728738922740556079,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=2160,i,17832719417900444124,13861847247960682782,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe "C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe"
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2940 --field-trial-handle=2724,i,4482519872048150816,8688360613915830786,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2188 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07a9cf11-a11c-4267-8dc4-740bf294e4fb} 3504 "\\.\pipe\gecko-crash-server-pipe.3504" 25d8896bf10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3484 -childID 1 -isForBrowser -prefsHandle 3428 -prefMapHandle 3432 -prefsLen 21837 -prefMapSize 238690 -jsInitHandle 1240 -jsInitLen 234236 -parentBuildID 20230927232528 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b753b1f8-541a-487d-8ec8-3be5703ede91} 3504 "\\.\pipe\gecko-crash-server-pipe.3504" 25d99d93310 tab
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe "C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe"	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe "C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe "C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.youtube.com/
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.linkedin.com/login
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.google.com/
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1960,i,11993553605994081514,18162534353999161792,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=1972,i,16301593684436752617,2012107364916416146,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1996,i,17726353602255924015,12176223097910466274,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1984,i,8973374208484498469,2501955192980366572,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2092,i,17673521410042216198,2537652209419044310,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2096,i,12923574770636312838,3728738922740556079,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=2160,i,17832719417900444124,13861847247960682782,262144 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2940 --field-trial-handle=2724,i,4482519872048150816,8688360613915830786,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2188 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07a9cf11-a11c-4267-8dc4-740bf294e4fb} 3504 "\\.\pipe\gecko-crash-server-pipe.3504" 25d8896bf10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3484 -childID 1 -isForBrowser -prefsHandle 3428 -prefMapHandle 3432 -prefsLen 21837 -prefMapSize 238690 -jsInitHandle 1240 -jsInitLen 234236 -parentBuildID 20230927232528 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b753b1f8-541a-487d-8ec8-3be5703ede91} 3504 "\\.\pipe\gecko-crash-server-pipe.3504" 25d99d93310 tab
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

File written: C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: jk98mGM6JH.exe

Static file information: File size 2393600 > 1048576

Source: jk98mGM6JH.exe

Static PE information: Raw size of idnrjgyt is bigger than: 0x100000 < 0x1b3a00

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Unpacked PE file: 0.2.jk98mGM6JH.exe.610000.0.unpack :EW;.rsrc:W;.idata :W; :EW;idnrjgyt:EW;ssvxgfuk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;idnrjgyt:EW;ssvxgfuk:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 10.2.MPGPH131.exe.390000.0.unpack :EW;.rsrc:W;.idata :W; :EW;idnrjgyt:EW;ssvxgfuk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;idnrjgyt:EW;ssvxgfuk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 13.2.RageMP131.exe.1000000.0.unpack :EW;.rsrc:W;.idata :W; :EW;idnrjgyt:EW;ssvxgfuk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;idnrjgyt:EW;ssvxgfuk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Unpacked PE file: 25.2.zqdrYwv5fC6zkQ9Tresm.exe.180000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cxfojuyk:EW;begfdfyp:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 34.2.RageMP131.exe.1000000.0.unpack :EW;.rsrc:W;.idata :W; :EW;idnrjgyt:EW;ssvxgfuk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;idnrjgyt:EW;ssvxgfuk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Unpacked PE file: 40.2.Cr6QVRpzwqhYjtnCxFSW.exe.e50000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: jk98mGM6JH.exe	Static PE information: real checksum: 0x24efce should be: 0x250261
Source: plaza[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x2fc916
Source: RageMP131.exe.0.dr	Static PE information: real checksum: 0x24efce should be: 0x250261
Source: MPGPH131.exe.0.dr	Static PE information: real checksum: 0x24efce should be: 0x250261
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x2fc916
Source: ladas[1].exe.0.dr	Static PE information: real checksum: 0x23dd52 should be: 0x244852
Source: b2H5rX9tWHjbJEBjMEvH.exe.0.dr	Static PE information: real checksum: 0x23dd52 should be: 0x244852

Source: jk98mGM6JH.exe	Static PE information: section name:
Source: jk98mGM6JH.exe	Static PE information: section name: .idata
Source: jk98mGM6JH.exe	Static PE information: section name:
Source: jk98mGM6JH.exe	Static PE information: section name: idnrjgyt
Source: jk98mGM6JH.exe	Static PE information: section name: ssvxgfuk
Source: jk98mGM6JH.exe	Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: idnrjgyt
Source: RageMP131.exe.0.dr	Static PE information: section name: ssvxgfuk
Source: RageMP131.exe.0.dr	Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: idnrjgyt
Source: MPGPH131.exe.0.dr	Static PE information: section name: ssvxgfuk
Source: MPGPH131.exe.0.dr	Static PE information: section name: .taggant
Source: ladas[1].exe.0.dr	Static PE information: section name:
Source: ladas[1].exe.0.dr	Static PE information: section name: .idata
Source: ladas[1].exe.0.dr	Static PE information: section name:
Source: ladas[1].exe.0.dr	Static PE information: section name: jyzrikla
Source: ladas[1].exe.0.dr	Static PE information: section name: swzyazqz
Source: ladas[1].exe.0.dr	Static PE information: section name: .taggant
Source: b2H5rX9tWHjbJEBjMEvH.exe.0.dr	Static PE information: section name:
Source: b2H5rX9tWHjbJEBjMEvH.exe.0.dr	Static PE information: section name: .idata
Source: b2H5rX9tWHjbJEBjMEvH.exe.0.dr	Static PE information: section name:
Source: b2H5rX9tWHjbJEBjMEvH.exe.0.dr	Static PE information: section name: jyzrikla
Source: b2H5rX9tWHjbJEBjMEvH.exe.0.dr	Static PE information: section name: swzyazqz
Source: b2H5rX9tWHjbJEBjMEvH.exe.0.dr	Static PE information: section name: .taggant
Source: niks[1].exe.0.dr	Static PE information: section name:
Source: niks[1].exe.0.dr	Static PE information: section name: .idata
Source: niks[1].exe.0.dr	Static PE information: section name:
Source: niks[1].exe.0.dr	Static PE information: section name: cxfojuyk
Source: niks[1].exe.0.dr	Static PE information: section name: begfdfyp
Source: zqdrYwv5fC6zkQ9Tresm.exe.0.dr	Static PE information: section name:
Source: zqdrYwv5fC6zkQ9Tresm.exe.0.dr	Static PE information: section name: .idata
Source: zqdrYwv5fC6zkQ9Tresm.exe.0.dr	Static PE information: section name:
Source: zqdrYwv5fC6zkQ9Tresm.exe.0.dr	Static PE information: section name: cxfojuyk
Source: zqdrYwv5fC6zkQ9Tresm.exe.0.dr	Static PE information: section name: begfdfyp
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: section name:
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: section name:
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: section name:
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: section name:
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: section name:
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: section name:
Source: gmpopenh264.dll.tmp.42.dr	Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006ED509 push ecx; ret		0_2_006ED51C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_0046D509 push ecx; ret		10_2_0046D51C

Source: jk98mGM6JH.exe	Static PE information: section name: entropy: 7.988716513246667
Source: jk98mGM6JH.exe	Static PE information: section name: idnrjgyt entropy: 7.913450001679227
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.988716513246667
Source: RageMP131.exe.0.dr	Static PE information: section name: idnrjgyt entropy: 7.913450001679227
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.988716513246667
Source: MPGPH131.exe.0.dr	Static PE information: section name: idnrjgyt entropy: 7.913450001679227
Source: ladas[1].exe.0.dr	Static PE information: section name: entropy: 7.9864508087237045
Source: ladas[1].exe.0.dr	Static PE information: section name: jyzrikla entropy: 7.949980893603798
Source: b2H5rX9tWHjbJEBjMEvH.exe.0.dr	Static PE information: section name: entropy: 7.9864508087237045
Source: b2H5rX9tWHjbJEBjMEvH.exe.0.dr	Static PE information: section name: jyzrikla entropy: 7.949980893603798
Source: niks[1].exe.0.dr	Static PE information: section name: entropy: 7.799137207263004
Source: niks[1].exe.0.dr	Static PE information: section name: cxfojuyk entropy: 7.953527916428882
Source: zqdrYwv5fC6zkQ9Tresm.exe.0.dr	Static PE information: section name: entropy: 7.799137207263004
Source: zqdrYwv5fC6zkQ9Tresm.exe.0.dr	Static PE information: section name: cxfojuyk entropy: 7.953527916428882
Source: plaza[1].exe.0.dr	Static PE information: section name: entropy: 7.999500018313179
Source: plaza[1].exe.0.dr	Static PE information: section name: entropy: 7.994897452545235
Source: plaza[1].exe.0.dr	Static PE information: section name: entropy: 7.317247447961688
Source: plaza[1].exe.0.dr	Static PE information: section name: entropy: 7.986028047520455
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: section name: entropy: 7.999500018313179
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: section name: entropy: 7.994897452545235
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: section name: entropy: 7.317247447961688
Source: Cr6QVRpzwqhYjtnCxFSW.exe.0.dr	Static PE information: section name: entropy: 7.986028047520455

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\niks[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File created: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\b2H5rX9tWHjbJEBjMEvH.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File created: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\61EWU8OcULp0D6CDdq0e.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\plaza[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\fu[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\well[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File created: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File created: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\ladas[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File created: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Jump to dropped file

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008CF16A second address: 00000000008CF177 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F41B1244246h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008CF177 second address: 00000000008CF186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F41B1011B46h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008D693F second address: 00000000008D6944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008D6944 second address: 00000000008D694A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008D694A second address: 00000000008D694E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008D694E second address: 00000000008D6960 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F41B1011B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F41B1011B52h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008D6C76 second address: 00000000008D6C7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008D7164 second address: 00000000008D7168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008D7168 second address: 00000000008D71A3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F41B1244246h 0x00000008 jmp 00007F41B1244251h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jnc 00007F41B1244246h 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F41B1244254h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008DAC16 second address: 00000000008DAC43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jmp 00007F41B1011B50h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F41B1011B4Fh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008DAC43 second address: 000000000075DA86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B124424Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b ja 00007F41B124424Eh 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jmp 00007F41B124424Ch 0x0000001a pop eax 0x0000001b jmp 00007F41B124424Ch 0x00000020 push dword ptr [ebp+122D1425h] 0x00000026 mov edi, dword ptr [ebp+122D2AEDh] 0x0000002c call dword ptr [ebp+122D265Dh] 0x00000032 pushad 0x00000033 mov dword ptr [ebp+122D3439h], ebx 0x00000039 xor eax, eax 0x0000003b jmp 00007F41B1244257h 0x00000040 mov edx, dword ptr [esp+28h] 0x00000044 jnc 00007F41B1244247h 0x0000004a mov dword ptr [ebp+122D2C65h], eax 0x00000050 mov dword ptr [ebp+122D2655h], eax 0x00000056 mov esi, 0000003Ch 0x0000005b jmp 00007F41B1244252h 0x00000060 mov dword ptr [ebp+122D2655h], ebx 0x00000066 add esi, dword ptr [esp+24h] 0x0000006a or dword ptr [ebp+122D1AA6h], ecx 0x00000070 lodsw 0x00000072 mov dword ptr [ebp+122D3439h], ebx 0x00000078 sub dword ptr [ebp+122D1891h], edi 0x0000007e add eax, dword ptr [esp+24h] 0x00000082 mov dword ptr [ebp+122D1891h], eax 0x00000088 mov ebx, dword ptr [esp+24h] 0x0000008c sub dword ptr [ebp+122D1AA6h], ecx 0x00000092 push eax 0x00000093 push ecx 0x00000094 push edx 0x00000095 push eax 0x00000096 push edx 0x00000097 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008DACDF second address: 00000000008DAD07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B4Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ecx, dword ptr [ebp+122D1B64h] 0x00000010 push 00000000h 0x00000012 mov si, cx 0x00000015 push 3B409471h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jc 00007F41B1011B46h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008DAD07 second address: 00000000008DAD62 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F41B1244256h 0x0000000b popad 0x0000000c xor dword ptr [esp], 3B4094F1h 0x00000013 mov dword ptr [ebp+122D1C14h], ecx 0x00000019 push 00000003h 0x0000001b push ebx 0x0000001c mov esi, dword ptr [ebp+122D2C31h] 0x00000022 pop edi 0x00000023 push 00000000h 0x00000025 mov edx, edi 0x00000027 push 00000003h 0x00000029 jmp 00007F41B1244254h 0x0000002e sbb ch, FFFFFFF0h 0x00000031 push 9837DAC7h 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 push edi 0x0000003a pop edi 0x0000003b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008DAD62 second address: 00000000008DAD66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008DAD66 second address: 00000000008DAD80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F41B1244252h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008DAEAC second address: 00000000008DAEDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jc 00007F41B1011B46h 0x0000000c jmp 00007F41B1011B4Bh 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push ebx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jp 00007F41B1011B46h 0x0000001e popad 0x0000001f pop ebx 0x00000020 mov eax, dword ptr [esp+04h] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008DAEDE second address: 00000000008DAEE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008DAEE4 second address: 00000000008DAEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008DAFE9 second address: 00000000008DB056 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244251h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnp 00007F41B1244246h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 add dword ptr [esp], 31D5AB7Bh 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007F41B1244248h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 sub ecx, dword ptr [ebp+122D17FBh] 0x0000003b push 00000003h 0x0000003d movsx edx, cx 0x00000040 push 00000000h 0x00000042 mov ecx, dword ptr [ebp+122D2D59h] 0x00000048 cmc 0x00000049 push 00000003h 0x0000004b or dword ptr [ebp+122D340Ch], esi 0x00000051 call 00007F41B1244249h 0x00000056 push ebx 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008DB056 second address: 00000000008DB05A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008DB05A second address: 00000000008DB081 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jmp 00007F41B1244252h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jo 00007F41B1244250h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008DB081 second address: 00000000008DB0BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jc 00007F41B1011B51h 0x0000000f jmp 00007F41B1011B4Bh 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jc 00007F41B1011B59h 0x00000020 jmp 00007F41B1011B53h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008DB0BA second address: 00000000008DB0CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F41B124424Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008FAA0A second address: 00000000008FAA0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008FAA0E second address: 00000000008FAA14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008FAA14 second address: 00000000008FAA1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008FAA1C second address: 00000000008FAA20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008D0D86 second address: 00000000008D0D8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008D0D8B second address: 00000000008D0DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F41B1244254h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F41B1244253h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008D0DBD second address: 00000000008D0DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F8BE6 second address: 00000000008F8C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F41B1244254h 0x00000009 jns 00007F41B1244246h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F41B1244257h 0x00000018 push edi 0x00000019 pop edi 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jl 00007F41B1244246h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F8C2C second address: 00000000008F8C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F8C30 second address: 00000000008F8C34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F9022 second address: 00000000008F9027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F9027 second address: 00000000008F9037 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F41B1244246h 0x0000000a jc 00007F41B1244246h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F9193 second address: 00000000008F919F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F41B1011B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F919F second address: 00000000008F91D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F41B1244258h 0x00000008 jmp 00007F41B1244254h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F91D0 second address: 00000000008F9212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F41B1011B51h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jc 00007F41B1011B4Ch 0x00000013 js 00007F41B1011B5Ah 0x00000019 jmp 00007F41B1011B54h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F936F second address: 00000000008F9373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F9373 second address: 00000000008F938A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B53h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F938A second address: 00000000008F9396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F9396 second address: 00000000008F939A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F939A second address: 00000000008F93CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244258h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F41B1244252h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F9547 second address: 00000000008F954B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F954B second address: 00000000008F954F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F954F second address: 00000000008F9555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F96B6 second address: 00000000008F96BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F96BC second address: 00000000008F96C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F96C2 second address: 00000000008F96DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244254h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F982E second address: 00000000008F9847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F41B1011B51h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F9847 second address: 00000000008F984B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F984B second address: 00000000008F984F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F984F second address: 00000000008F9855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F999A second address: 00000000008F99A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008FA397 second address: 00000000008FA39D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008FCCE1 second address: 00000000008FCCFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F41B1011B46h 0x00000009 jmp 00007F41B1011B4Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009005B6 second address: 00000000009005BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009005BC second address: 00000000009005C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000901EE4 second address: 0000000000901F2C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F41B1244253h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F41B1244251h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 jns 00007F41B124424Ch 0x0000001c pop eax 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 jc 00007F41B1244246h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000901F2C second address: 0000000000901F36 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000901F36 second address: 0000000000901F3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000901F3A second address: 0000000000901F3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000908D21 second address: 0000000000908D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000908EE4 second address: 0000000000908EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000908EEA second address: 0000000000908F04 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F41B124424Ch 0x0000000a pop ecx 0x0000000b js 00007F41B124424Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009092C3 second address: 00000000009092DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F41B1011B54h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009095C6 second address: 00000000009095CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090C1D8 second address: 000000000090C20D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F41B1011B59h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090C4D7 second address: 000000000090C4DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090C9DA second address: 000000000090C9E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090CB42 second address: 000000000090CB46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090CE3C second address: 000000000090CE40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090CE40 second address: 000000000090CE5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244259h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090D000 second address: 000000000090D004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090D004 second address: 000000000090D00A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090D0B2 second address: 000000000090D0B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090D0B6 second address: 000000000090D0C6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090D0C6 second address: 000000000090D0E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 jmp 00007F41B1011B53h 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090D0E9 second address: 000000000090D0EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090D56C second address: 000000000090D588 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090FA43 second address: 000000000090FA4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F41B1244246h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090F7CA second address: 000000000090F7E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B4Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F41B1011B46h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090F7E3 second address: 000000000090F7E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090F7E9 second address: 000000000090F7F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F41B1011B4Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000091109A second address: 0000000000911122 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F41B1244246h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F41B1244248h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b xor edi, 73417491h 0x00000031 sub esi, 4CFAEF31h 0x00000037 push 00000000h 0x00000039 call 00007F41B124424Dh 0x0000003e jmp 00007F41B1244251h 0x00000043 pop edi 0x00000044 push 00000000h 0x00000046 push 00000000h 0x00000048 push ebp 0x00000049 call 00007F41B1244248h 0x0000004e pop ebp 0x0000004f mov dword ptr [esp+04h], ebp 0x00000053 add dword ptr [esp+04h], 0000001Ch 0x0000005b inc ebp 0x0000005c push ebp 0x0000005d ret 0x0000005e pop ebp 0x0000005f ret 0x00000060 xchg eax, ebx 0x00000061 push eax 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000911122 second address: 0000000000911128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000911B4D second address: 0000000000911B89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244250h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a nop 0x0000000b push esi 0x0000000c mov di, 6A76h 0x00000010 pop edi 0x00000011 push 00000000h 0x00000013 mov esi, eax 0x00000015 push 00000000h 0x00000017 mov dword ptr [ebp+122D1AFEh], eax 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F41B1244251h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000091508D second address: 0000000000915092 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000091512D second address: 0000000000915133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000915133 second address: 0000000000915138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000918158 second address: 0000000000918175 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244252h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000918175 second address: 0000000000918179 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000091919A second address: 00000000009191A4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F41B124424Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000917310 second address: 0000000000917314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009182EC second address: 00000000009182F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000917314 second address: 000000000091731E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009182F1 second address: 000000000091836E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F41B1244248h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 jmp 00007F41B124424Ch 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov edi, 1ADFEEDBh 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b or bx, A9F6h 0x00000040 and bh, 00000000h 0x00000043 mov eax, dword ptr [ebp+122D0349h] 0x00000049 jl 00007F41B124424Ch 0x0000004f or edi, 1293C366h 0x00000055 or dword ptr [ebp+122D1A22h], ebx 0x0000005b push FFFFFFFFh 0x0000005d mov ebx, 5E184B38h 0x00000062 mov edi, dword ptr [ebp+122DB27Bh] 0x00000068 nop 0x00000069 push eax 0x0000006a js 00007F41B124424Ch 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000091938C second address: 0000000000919399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009173EF second address: 00000000009173F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000919399 second address: 000000000091939D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000091939D second address: 00000000009193A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000091C474 second address: 000000000091C504 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b jmp 00007F41B1011B59h 0x00000010 nop 0x00000011 and edi, 519317C0h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007F41B1011B48h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 mov ebx, dword ptr [ebp+122D2F51h] 0x00000039 push 00000000h 0x0000003b jmp 00007F41B1011B53h 0x00000040 xchg eax, esi 0x00000041 push esi 0x00000042 jno 00007F41B1011B48h 0x00000048 pop esi 0x00000049 push eax 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000091C504 second address: 000000000091C508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000091C649 second address: 000000000091C64E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000091E398 second address: 000000000091E3A9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F41B1244246h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000091E3A9 second address: 000000000091E3B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000091F338 second address: 000000000091F347 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000091F347 second address: 000000000091F34C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000921568 second address: 000000000092160B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244252h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F41B1244253h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F41B1244248h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F41B1244248h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 jmp 00007F41B1244253h 0x0000004c push 00000000h 0x0000004e and ebx, dword ptr [ebp+122D2A31h] 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 jp 00007F41B1244258h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000091D6C1 second address: 000000000091D6C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000091E514 second address: 000000000091E519 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000091E519 second address: 000000000091E51F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000092259E second address: 00000000009225A8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F41B1244246h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009235A2 second address: 00000000009235A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009235A6 second address: 00000000009235B4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F41B1244246h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009235B4 second address: 00000000009235B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009235B8 second address: 00000000009235BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009244F6 second address: 00000000009244FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000923810 second address: 000000000092382A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F41B1244254h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000092382A second address: 000000000092382E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000924727 second address: 000000000092472B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000092B76A second address: 000000000092B770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000092B770 second address: 000000000092B774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000092B774 second address: 000000000092B77A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000092B0B2 second address: 000000000092B0B7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000092B0B7 second address: 000000000092B0CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jng 00007F41B1011B4Ah 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000092B0CC second address: 000000000092B0D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000092CD2B second address: 000000000092CD2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000092CD2F second address: 000000000092CD48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F41B124424Eh 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000092CD48 second address: 000000000092CD6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F41B1011B46h 0x0000000a jmp 00007F41B1011B55h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000092CD6C second address: 000000000092CD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F41B124424Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000092CD7B second address: 000000000092CD7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000934824 second address: 0000000000934872 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F41B1244254h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jne 00007F41B124424Eh 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jmp 00007F41B1244253h 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F41B124424Ah 0x00000024 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000934A06 second address: 0000000000934A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000934A0A second address: 0000000000934A26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244258h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000934A26 second address: 0000000000934A36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F41B1011B4Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000934A36 second address: 0000000000934A4A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F41B1244246h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000934A4A second address: 0000000000934A62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000093968A second address: 0000000000939692 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000939692 second address: 00000000009396A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F41B1011B46h 0x0000000a ja 00007F41B1011B46h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009396A2 second address: 00000000009396BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244259h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009396BF second address: 00000000009396C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009396C9 second address: 00000000009396CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009396CD second address: 00000000009396D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009396D1 second address: 00000000009396D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008C1A88 second address: 00000000008C1A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008C1A8C second address: 00000000008C1A94 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008C1A94 second address: 00000000008C1AC1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F41B1011B4Dh 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F41B1011B58h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008C1AC1 second address: 00000000008C1AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008C1AC5 second address: 00000000008C1AC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000938992 second address: 00000000009389A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a ja 00007F41B1244246h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009389A6 second address: 00000000009389D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007F41B1011B46h 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F41B1011B51h 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jo 00007F41B1011B46h 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009389D5 second address: 00000000009389F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244258h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000938B62 second address: 0000000000938B69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000938B69 second address: 0000000000938B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000938CBD second address: 0000000000938CC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000938CC3 second address: 0000000000938D16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244251h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F41B1244254h 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007F41B124424Ch 0x00000015 jmp 00007F41B124424Ch 0x0000001a jbe 00007F41B1244248h 0x00000020 push eax 0x00000021 push edx 0x00000022 jns 00007F41B1244246h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009390DE second address: 00000000009390F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090A756 second address: 000000000090A75C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090A75C second address: 000000000090A760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090A760 second address: 000000000090A764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090A8E7 second address: 000000000090A8FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F41B1011B4Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090ABC0 second address: 000000000075DA86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244259h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop edi 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F41B1244248h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b push dword ptr [ebp+122D1425h] 0x00000031 xor dx, 8910h 0x00000036 call dword ptr [ebp+122D265Dh] 0x0000003c pushad 0x0000003d mov dword ptr [ebp+122D3439h], ebx 0x00000043 xor eax, eax 0x00000045 jmp 00007F41B1244257h 0x0000004a mov edx, dword ptr [esp+28h] 0x0000004e jnc 00007F41B1244247h 0x00000054 mov dword ptr [ebp+122D2C65h], eax 0x0000005a mov dword ptr [ebp+122D2655h], eax 0x00000060 mov esi, 0000003Ch 0x00000065 jmp 00007F41B1244252h 0x0000006a mov dword ptr [ebp+122D2655h], ebx 0x00000070 add esi, dword ptr [esp+24h] 0x00000074 or dword ptr [ebp+122D1AA6h], ecx 0x0000007a lodsw 0x0000007c mov dword ptr [ebp+122D3439h], ebx 0x00000082 sub dword ptr [ebp+122D1891h], edi 0x00000088 add eax, dword ptr [esp+24h] 0x0000008c mov dword ptr [ebp+122D1891h], eax 0x00000092 mov ebx, dword ptr [esp+24h] 0x00000096 sub dword ptr [ebp+122D1AA6h], ecx 0x0000009c push eax 0x0000009d push ecx 0x0000009e push edx 0x0000009f push eax 0x000000a0 push edx 0x000000a1 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090ACDB second address: 000000000090ACF6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F41B1011B51h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090ACF6 second address: 000000000090ACFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090ACFC second address: 000000000075DA86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F41B1011B48h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 jmp 00007F41B1011B51h 0x0000002b push dword ptr [ebp+122D1425h] 0x00000031 mov cl, dh 0x00000033 call dword ptr [ebp+122D265Dh] 0x00000039 pushad 0x0000003a mov dword ptr [ebp+122D3439h], ebx 0x00000040 xor eax, eax 0x00000042 jmp 00007F41B1011B57h 0x00000047 mov edx, dword ptr [esp+28h] 0x0000004b jnc 00007F41B1011B47h 0x00000051 mov dword ptr [ebp+122D2C65h], eax 0x00000057 mov dword ptr [ebp+122D2655h], eax 0x0000005d mov esi, 0000003Ch 0x00000062 jmp 00007F41B1011B52h 0x00000067 mov dword ptr [ebp+122D2655h], ebx 0x0000006d add esi, dword ptr [esp+24h] 0x00000071 or dword ptr [ebp+122D1AA6h], ecx 0x00000077 lodsw 0x00000079 mov dword ptr [ebp+122D3439h], ebx 0x0000007f sub dword ptr [ebp+122D1891h], edi 0x00000085 add eax, dword ptr [esp+24h] 0x00000089 mov dword ptr [ebp+122D1891h], eax 0x0000008f mov ebx, dword ptr [esp+24h] 0x00000093 sub dword ptr [ebp+122D1AA6h], ecx 0x00000099 push eax 0x0000009a push ecx 0x0000009b push edx 0x0000009c push eax 0x0000009d push edx 0x0000009e rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090B024 second address: 000000000090B02E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F41B1244246h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090B02E second address: 000000000090B033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090B131 second address: 000000000090B135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090B135 second address: 000000000090B13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090B256 second address: 000000000090B2A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push ebx 0x0000000a mov ecx, 690FF56Ch 0x0000000f pop ecx 0x00000010 push 00000004h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F41B1244248h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c sub dword ptr [ebp+122D37DDh], ecx 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 jmp 00007F41B124424Dh 0x0000003b pop eax 0x0000003c rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090B125 second address: 000000000090B131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090B88D second address: 000000000090B891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008F0A1B second address: 00000000008F0A38 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F41B1011B55h 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000093FB8B second address: 000000000093FB95 instructions: 0x00000000 rdtsc 0x00000002 js 00007F41B1244246h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000093FDF7 second address: 000000000093FE18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F41B1011B54h 0x0000000a jo 00007F41B1011B46h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000944A3D second address: 0000000000944A47 instructions: 0x00000000 rdtsc 0x00000002 js 00007F41B124424Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000944A47 second address: 0000000000944A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000944A4F second address: 0000000000944A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000944BA5 second address: 0000000000944BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000944BA9 second address: 0000000000944BBA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jp 00007F41B1244246h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000944D0A second address: 0000000000944D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000944D13 second address: 0000000000944D21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F41B124424Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000945185 second address: 00000000009451A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F41B1011B4Ch 0x0000000e jne 00007F41B1011B46h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009451A0 second address: 00000000009451A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009451A4 second address: 00000000009451AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009451AA second address: 00000000009451B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009451B5 second address: 00000000009451C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F41B1011B46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009451C0 second address: 00000000009451C5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000944761 second address: 000000000094477A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F41B1011B53h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094477A second address: 000000000094477E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009455FF second address: 0000000000945616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F41B1011B53h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094D244 second address: 000000000094D248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094BC98 second address: 000000000094BC9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094C0F1 second address: 000000000094C10A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F41B124424Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094C10A second address: 000000000094C10E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094C262 second address: 000000000094C26E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnl 00007F41B1244246h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094C26E second address: 000000000094C295 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F41B1011B5Dh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094C295 second address: 000000000094C2AB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F41B1244250h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094C51E second address: 000000000094C522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094C522 second address: 000000000094C52F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F41B1244246h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094C64E second address: 000000000094C66B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F41B1011B4Bh 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094C797 second address: 000000000094C7C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B124424Bh 0x00000007 jmp 00007F41B124424Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094CA6C second address: 000000000094CA84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F41B1011B52h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094CA84 second address: 000000000094CA9F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F41B1244246h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007F41B1244246h 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094CA9F second address: 000000000094CAA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094CAA3 second address: 000000000094CAE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244258h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F41B1244251h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F41B124424Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094CC2F second address: 000000000094CC39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094CC39 second address: 000000000094CC4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F41B1244246h 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094CC4A second address: 000000000094CC53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094CC53 second address: 000000000094CC70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F41B1244259h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094CC70 second address: 000000000094CC76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094D07C second address: 000000000094D08A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094D08A second address: 000000000094D08F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094D08F second address: 000000000094D095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094D095 second address: 000000000094D099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094D099 second address: 000000000094D09D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094D09D second address: 000000000094D0B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jng 00007F41B1011B4Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007F41B1011B46h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000094D0B8 second address: 000000000094D0CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F41B1244246h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d js 00007F41B1244246h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008CBC4A second address: 00000000008CBC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008CBC50 second address: 00000000008CBC54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009529FC second address: 0000000000952A00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000952A00 second address: 0000000000952A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F41B1244253h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000952A19 second address: 0000000000952A1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000952A1E second address: 0000000000952A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009555F3 second address: 000000000095560A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F41B1011B4Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000095560A second address: 0000000000955610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000955733 second address: 0000000000955740 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push edx 0x00000008 pop edx 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009571DC second address: 00000000009571E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009571E4 second address: 00000000009571F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F41B1011B52h 0x0000000b jnl 00007F41B1011B46h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009571F7 second address: 00000000009571FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009571FB second address: 0000000000957200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000095CE0F second address: 000000000095CE22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F41B1244246h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000095CF57 second address: 000000000095CF5D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000095D0B4 second address: 000000000095D0BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F41B1244246h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000095D0BE second address: 000000000095D0C8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F41B1011B4Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000095D0C8 second address: 000000000095D0D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000095D0D4 second address: 000000000095D0DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000095D54B second address: 000000000095D550 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090B40A second address: 000000000090B40E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090B40E second address: 000000000090B45F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 mov ebx, dword ptr [ebp+12480477h] 0x0000000e mov dword ptr [ebp+122D180Ch], eax 0x00000014 add eax, ebx 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F41B1244248h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 mov edx, dword ptr [ebp+122D2A51h] 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a jl 00007F41B1244246h 0x00000040 jmp 00007F41B124424Ch 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090B45F second address: 000000000090B4D4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F41B1011B48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F41B1011B48h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 adc cx, 2800h 0x0000002c push 00000004h 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007F41B1011B48h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 00000016h 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 nop 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F41B1011B59h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000090B4D4 second address: 000000000090B4F2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F41B1244248h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jo 00007F41B1244248h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 ja 00007F41B1244246h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000095D82D second address: 000000000095D83D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push esi 0x00000008 jo 00007F41B1011B5Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000095E2A5 second address: 000000000095E2BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F41B1244251h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000095E2BC second address: 000000000095E2DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000095E2DD second address: 000000000095E2ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jng 00007F41B1244246h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000095E2ED second address: 000000000095E319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F41B1011B4Eh 0x00000009 jmp 00007F41B1011B58h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000008CD781 second address: 00000000008CD785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000961AA0 second address: 0000000000961AB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B4Ch 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000961AB1 second address: 0000000000961AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000961AC3 second address: 0000000000961AD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B52h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000964B70 second address: 0000000000964BC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B124424Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F41B124425Ah 0x0000000f jmp 00007F41B1244253h 0x00000014 jg 00007F41B1244252h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000964BC4 second address: 0000000000964BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000964BCA second address: 0000000000964BDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B124424Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000964BDA second address: 0000000000964BF8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F41B1011B4Ch 0x00000008 pushad 0x00000009 jmp 00007F41B1011B4Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000964BF8 second address: 0000000000964C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000964EA9 second address: 0000000000964EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F41B1011B46h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F41B1011B46h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000964EC0 second address: 0000000000964EC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000964EC4 second address: 0000000000964ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F41B1011B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000964ED3 second address: 0000000000964F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F41B1244246h 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F41B124424Eh 0x00000014 jmp 00007F41B1244254h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000964F03 second address: 0000000000964F2B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F41B1011B61h 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096B35E second address: 000000000096B362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096B362 second address: 000000000096B366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096B366 second address: 000000000096B388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F41B1244246h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007F41B1244256h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096B388 second address: 000000000096B38D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096B38D second address: 000000000096B393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096B8AC second address: 000000000096B8F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F41B1011B46h 0x00000009 pushad 0x0000000a popad 0x0000000b je 00007F41B1011B46h 0x00000011 popad 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 jmp 00007F41B1011B52h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d pop edx 0x0000001e pop eax 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F41B1011B4Dh 0x00000027 jmp 00007F41B1011B4Eh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096B8F6 second address: 000000000096B8FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096B8FA second address: 000000000096B90F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F41B1011B4Ch 0x0000000c jl 00007F41B1011B46h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096B90F second address: 000000000096B91B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096BBB4 second address: 000000000096BBFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F41B1011B52h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 jmp 00007F41B1011B4Ah 0x0000001d pushad 0x0000001e jmp 00007F41B1011B54h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096BEB6 second address: 000000000096BEBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096BEBC second address: 000000000096BEC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096BEC2 second address: 000000000096BEF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jno 00007F41B1244246h 0x0000000f jg 00007F41B1244246h 0x00000015 jmp 00007F41B1244257h 0x0000001a popad 0x0000001b pop esi 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096BEF5 second address: 000000000096BEF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096BEF9 second address: 000000000096BF02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096C4A1 second address: 000000000096C4A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000096C4A5 second address: 000000000096C4C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244257h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000971A38 second address: 0000000000971A57 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F41B1011B46h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F41B1011B50h 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000971A57 second address: 0000000000971A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F41B1244259h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000971A7C second address: 0000000000971A8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F41B1011B4Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000974EB5 second address: 0000000000974EDB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F41B124424Bh 0x00000008 jmp 00007F41B124424Ch 0x0000000d pop ebx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jbe 00007F41B1244246h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000974EDB second address: 0000000000974F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jne 00007F41B1011B52h 0x00000010 push esi 0x00000011 je 00007F41B1011B46h 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jnc 00007F41B1011B46h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009751CD second address: 00000000009751D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009751D1 second address: 000000000097520A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F41B1011B5Dh 0x00000008 jmp 00007F41B1011B4Bh 0x0000000d jmp 00007F41B1011B4Ch 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F41B1011B4Eh 0x0000001d jo 00007F41B1011B46h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000097520A second address: 0000000000975223 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244255h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000975223 second address: 000000000097523D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F41B1011B46h 0x00000009 jmp 00007F41B1011B4Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000975388 second address: 00000000009753CC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F41B124424Eh 0x00000008 js 00007F41B124424Eh 0x0000000e pushad 0x0000000f popad 0x00000010 ja 00007F41B1244246h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 jo 00007F41B1244274h 0x0000001e jng 00007F41B124425Bh 0x00000024 jmp 00007F41B1244255h 0x00000029 push ecx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000097B688 second address: 000000000097B6C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F41B1011B59h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jmp 00007F41B1011B50h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000097B6C1 second address: 000000000097B6C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000097B6C7 second address: 000000000097B6CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000097B6CB second address: 000000000097B6E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B124424Fh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000097BA03 second address: 000000000097BA07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000097BF95 second address: 000000000097BF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000097BF9D second address: 000000000097BFAE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jbe 00007F41B1011B46h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000097BFAE second address: 000000000097BFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000097C42E second address: 000000000097C444 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B52h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000097C444 second address: 000000000097C452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F41B124424Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000097C452 second address: 000000000097C456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000097C456 second address: 000000000097C45D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000097C45D second address: 000000000097C466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000097C466 second address: 000000000097C46A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000097CB89 second address: 000000000097CBA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F41B1011B52h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000098123E second address: 000000000098124F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F41B1244248h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000098124F second address: 0000000000981269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F41B1011B56h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000985AC8 second address: 0000000000985AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000985DB7 second address: 0000000000985DCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B50h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000985DCB second address: 0000000000985DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pushad 0x0000000b jne 00007F41B1244246h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 jo 00007F41B1244264h 0x0000001b push edi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000985DE9 second address: 0000000000985DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000098D23D second address: 000000000098D243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000098D243 second address: 000000000098D247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000098D247 second address: 000000000098D24C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000997DB2 second address: 0000000000997DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F41B1011B56h 0x0000000c popad 0x0000000d push ebx 0x0000000e push ebx 0x0000000f jns 00007F41B1011B46h 0x00000015 push edx 0x00000016 pop edx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000997912 second address: 0000000000997919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000997AAF second address: 0000000000997AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000099A7E5 second address: 000000000099A7EC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000099A7EC second address: 000000000099A810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jl 00007F41B1011B46h 0x0000000c jmp 00007F41B1011B51h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push esi 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000099A200 second address: 000000000099A21D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244255h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000099A21D second address: 000000000099A221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000099EE7E second address: 000000000099EE84 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000099EE84 second address: 000000000099EEA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F41B1011B58h 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000099EEA4 second address: 000000000099EEBE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jns 00007F41B1244246h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F41B1244246h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000099EEBE second address: 000000000099EEC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000099EEC2 second address: 000000000099EEC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000099EEC6 second address: 000000000099EED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F41B1011B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000099EED2 second address: 000000000099EEE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F41B124424Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000099EEE2 second address: 000000000099EEFD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jbe 00007F41B1011B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F41B1011B4Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000099EEFD second address: 000000000099EF01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009AA8EF second address: 00000000009AA8F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009AA736 second address: 00000000009AA77B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F41B1244261h 0x00000008 jnp 00007F41B1244246h 0x0000000e jmp 00007F41B1244255h 0x00000013 jmp 00007F41B124424Dh 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F41B1244251h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009ACCC0 second address: 00000000009ACCEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F41B1011B4Dh 0x00000008 jmp 00007F41B1011B4Ah 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F41B1011B46h 0x00000018 jo 00007F41B1011B46h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009ACCEB second address: 00000000009ACCEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009ACCEF second address: 00000000009ACD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F41B1011B4Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009ACD0C second address: 00000000009ACD2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F41B1244258h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009ACD2A second address: 00000000009ACD2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009ACB6B second address: 00000000009ACB6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009ACB6F second address: 00000000009ACB8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F41B1011B56h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009B5BD3 second address: 00000000009B5BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F41B1244253h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009B5BF1 second address: 00000000009B5BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009B5BF5 second address: 00000000009B5BF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009B477F second address: 00000000009B4783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009B4783 second address: 00000000009B4795 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F41B1244246h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop edi 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009B4A16 second address: 00000000009B4A43 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F41B1011B61h 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F41B1011B46h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009B4A43 second address: 00000000009B4A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009B4B91 second address: 00000000009B4B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009B4B97 second address: 00000000009B4B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009B4D10 second address: 00000000009B4D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F41B1011B4Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009B4E94 second address: 00000000009B4E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009B4E98 second address: 00000000009B4E9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009B967B second address: 00000000009B967F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009B927A second address: 00000000009B9280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009B9280 second address: 00000000009B9285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009B9285 second address: 00000000009B92A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B50h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F41B1011B46h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009CDE27 second address: 00000000009CDE2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009CDE2B second address: 00000000009CDE35 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F41B1011B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009CDE35 second address: 00000000009CDE3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009CDE3B second address: 00000000009CDE3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009CDE3F second address: 00000000009CDE76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F41B1244254h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e jnp 00007F41B1244257h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009D05F5 second address: 00000000009D0639 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F41B1011B57h 0x0000000e je 00007F41B1011B61h 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F41B1011B59h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009C9DAA second address: 00000000009C9DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000009C9DB5 second address: 00000000009C9DC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B4Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A04B68 second address: 0000000000A04B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A04B6C second address: 0000000000A04B8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F41B1011B4Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A04CF4 second address: 0000000000A04D0B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F41B1244246h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A04D0B second address: 0000000000A04D23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F41B1011B52h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A04D23 second address: 0000000000A04D52 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F41B1244246h 0x0000000b pop edi 0x0000000c pushad 0x0000000d jmp 00007F41B124424Ch 0x00000012 jmp 00007F41B1244254h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A05056 second address: 0000000000A05064 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F41B1011B4Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A051C5 second address: 0000000000A051FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F41B1244259h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F41B1244257h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A08632 second address: 0000000000A08636 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A088BF second address: 0000000000A088C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A088C5 second address: 0000000000A08930 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F41B1011B48h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov dx, 514Bh 0x0000002c push 00000004h 0x0000002e add edx, dword ptr [ebp+1244A582h] 0x00000034 mov edx, ebx 0x00000036 call 00007F41B1011B49h 0x0000003b jnl 00007F41B1011B56h 0x00000041 push eax 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 push esi 0x00000046 pop esi 0x00000047 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A08930 second address: 0000000000A08952 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 jmp 00007F41B124424Dh 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A08952 second address: 0000000000A0898E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F41B1011B4Ah 0x00000009 popad 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007F41B1011B55h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 pushad 0x00000017 push ecx 0x00000018 jns 00007F41B1011B46h 0x0000001e pop ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 jp 00007F41B1011B46h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A08BF3 second address: 0000000000A08BF8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A0B5F2 second address: 0000000000A0B602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 jno 00007F41B1011B46h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A0B602 second address: 0000000000A0B608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A0B608 second address: 0000000000A0B63A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jnl 00007F41B1011B4Eh 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop ebx 0x00000013 je 00007F41B1011B52h 0x00000019 jmp 00007F41B1011B4Ch 0x0000001e push ebx 0x0000001f push edi 0x00000020 pop edi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000000A0D5E7 second address: 0000000000A0D5FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244250h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000050F0703 second address: 00000000050F0707 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000050F0707 second address: 00000000050F070D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000050F070D second address: 00000000050F0713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000050F0713 second address: 00000000050F0741 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244251h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov ecx, 4B0DD3E3h 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ebx 0x00000015 mov di, si 0x00000018 popad 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000050F0741 second address: 00000000050F0745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000050F0745 second address: 00000000050F074B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000050F074B second address: 00000000050F0779 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F41B1011B57h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130644 second address: 0000000005130685 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B124424Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F41B1244256h 0x0000000f mov ebp, esp 0x00000011 jmp 00007F41B1244250h 0x00000016 pop ebp 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a mov ecx, 4B4E9303h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000050C0B72 second address: 00000000050C0B76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000050C0B76 second address: 00000000050C0B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000050C0B7C second address: 00000000050C0C37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F41B1011B55h 0x00000009 adc esi, 3FA36836h 0x0000000f jmp 00007F41B1011B51h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push esp 0x00000019 jmp 00007F41B1011B4Ah 0x0000001e mov dword ptr [esp], ebp 0x00000021 jmp 00007F41B1011B50h 0x00000026 mov ebp, esp 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F41B1011B4Eh 0x0000002f adc cx, C1B8h 0x00000034 jmp 00007F41B1011B4Bh 0x00000039 popfd 0x0000003a pushfd 0x0000003b jmp 00007F41B1011B58h 0x00000040 sub esi, 4FBA7C18h 0x00000046 jmp 00007F41B1011B4Bh 0x0000004b popfd 0x0000004c popad 0x0000004d push dword ptr [ebp+04h] 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F41B1011B55h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100B09 second address: 0000000005100B0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100B0F second address: 0000000005100B55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F41B1011B4Dh 0x00000013 add ecx, 59758796h 0x00000019 jmp 00007F41B1011B51h 0x0000001e popfd 0x0000001f movzx ecx, dx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100B55 second address: 0000000005100B5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100B5A second address: 0000000005100B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov si, bx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100B6B second address: 0000000005100B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100B71 second address: 0000000005100B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 jmp 00007F41B1011B4Fh 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F41B1011B50h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100B9D second address: 0000000005100BA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005150035 second address: 000000000515003B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000515003B second address: 000000000515003F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000515003F second address: 00000000051500A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F41B1011B4Fh 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 call 00007F41B1011B54h 0x00000018 mov cx, A0F1h 0x0000001c pop eax 0x0000001d mov cx, bx 0x00000020 popad 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov ax, A861h 0x00000029 pushfd 0x0000002a jmp 00007F41B1011B4Eh 0x0000002f add ax, 0AF8h 0x00000034 jmp 00007F41B1011B4Bh 0x00000039 popfd 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051500A2 second address: 00000000051500A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051500A8 second address: 00000000051500AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130B57 second address: 0000000005130B6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 4BFD6BA4h 0x00000008 push ebx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov bl, ch 0x00000013 movsx edi, ax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130B6E second address: 0000000005130B74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130B74 second address: 0000000005130B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130B78 second address: 0000000005130BA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov edx, 03D1091Eh 0x00000015 jmp 00007F41B1011B4Fh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130BA9 second address: 0000000005130BAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130BAF second address: 0000000005130BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130BB3 second address: 0000000005130BB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130BB7 second address: 0000000005130BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov si, di 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130BC7 second address: 0000000005130BCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000050D02B2 second address: 00000000050D0316 instructions: 0x00000000 rdtsc 0x00000002 call 00007F41B1011B53h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebp 0x0000000c pushad 0x0000000d jmp 00007F41B1011B52h 0x00000012 pushfd 0x00000013 jmp 00007F41B1011B52h 0x00000018 and al, 00000018h 0x0000001b jmp 00007F41B1011B4Bh 0x00000020 popfd 0x00000021 popad 0x00000022 mov dword ptr [esp], ebp 0x00000025 pushad 0x00000026 mov edx, eax 0x00000028 mov esi, 64BFBCC7h 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000050D0316 second address: 00000000050D031C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000050D031C second address: 00000000050D0322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000050D0322 second address: 00000000050D0326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130453 second address: 0000000005130457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130457 second address: 000000000513045B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000513045B second address: 0000000005130461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130461 second address: 0000000005130476 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B124424Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130476 second address: 000000000513047C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000513047C second address: 0000000005130482 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130482 second address: 0000000005130486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130486 second address: 00000000051304D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F41B124424Dh 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 call 00007F41B124424Ch 0x00000016 pushfd 0x00000017 jmp 00007F41B1244252h 0x0000001c xor si, D448h 0x00000021 jmp 00007F41B124424Bh 0x00000026 popfd 0x00000027 pop eax 0x00000028 push eax 0x00000029 push edx 0x0000002a mov ebx, 3969DDEAh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130AA0 second address: 0000000005130AA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 8FE2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130C68 second address: 0000000005130C85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244259h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130C85 second address: 0000000005130CDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F41B1011B4Dh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F41B1011B58h 0x00000018 pushfd 0x00000019 jmp 00007F41B1011B52h 0x0000001e add cx, 3558h 0x00000023 jmp 00007F41B1011B4Bh 0x00000028 popfd 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051409B5 second address: 00000000051409B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051409B9 second address: 00000000051409BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051409BD second address: 00000000051409C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051409C3 second address: 00000000051409C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051409C9 second address: 00000000051409CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051409CD second address: 00000000051409EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F41B1011B56h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051409EE second address: 0000000005140A15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B124424Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F41B1244255h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005140A15 second address: 0000000005140A25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F41B1011B4Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005140A25 second address: 0000000005140A29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005140A29 second address: 0000000005140A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005140A39 second address: 0000000005140A3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005140A3F second address: 0000000005140A51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F41B1011B4Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005140A51 second address: 0000000005140AE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F41B1244258h 0x00000011 xor esi, 2C1C17E8h 0x00000017 jmp 00007F41B124424Bh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F41B1244258h 0x00000023 add ax, AA48h 0x00000028 jmp 00007F41B124424Bh 0x0000002d popfd 0x0000002e popad 0x0000002f pushfd 0x00000030 jmp 00007F41B1244258h 0x00000035 add ah, FFFFFFA8h 0x00000038 jmp 00007F41B124424Bh 0x0000003d popfd 0x0000003e popad 0x0000003f mov dword ptr [esp], ecx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 movsx ebx, cx 0x00000048 movzx ecx, bx 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005140AE8 second address: 0000000005140B33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [774365FCh] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F41B1011B56h 0x00000015 pushfd 0x00000016 jmp 00007F41B1011B52h 0x0000001b add ax, 1498h 0x00000020 jmp 00007F41B1011B4Bh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005140B33 second address: 0000000005140B4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F41B1244254h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005140B4B second address: 0000000005140B69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a pushad 0x0000000b mov bl, 75h 0x0000000d mov ax, FBC5h 0x00000011 popad 0x00000012 je 00007F422328494Fh 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005140B69 second address: 0000000005140B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005140B6D second address: 0000000005140B73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130ECD second address: 0000000005130F05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244259h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cl, 5Bh 0x0000000d mov ecx, edi 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F41B1244251h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130F05 second address: 0000000005130F25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 55C2h 0x00000007 mov al, dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F41B1011B51h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005130F25 second address: 0000000005130F47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244251h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ebx, 10164A1Eh 0x00000013 mov eax, edx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100032 second address: 0000000005100078 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F41B1011B4Eh 0x00000011 sbb cx, 5988h 0x00000016 jmp 00007F41B1011B4Bh 0x0000001b popfd 0x0000001c movzx esi, di 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100078 second address: 000000000510007C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000510007C second address: 0000000005100082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100082 second address: 0000000005100088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100088 second address: 000000000510008C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000510008C second address: 0000000005100090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100090 second address: 00000000051000B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F41B1011B58h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051000B5 second address: 00000000051000BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051000BB second address: 0000000005100123 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F41B1011B56h 0x0000000e mov dword ptr [esp], ecx 0x00000011 pushad 0x00000012 mov si, CEFDh 0x00000016 movzx esi, dx 0x00000019 popad 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F41B1011B57h 0x00000024 or cx, 069Eh 0x00000029 jmp 00007F41B1011B59h 0x0000002e popfd 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100123 second address: 0000000005100128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100128 second address: 000000000510016A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov bh, EDh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e jmp 00007F41B1011B50h 0x00000013 mov ebx, dword ptr [ebp+10h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F41B1011B4Dh 0x0000001f jmp 00007F41B1011B4Bh 0x00000024 popfd 0x00000025 mov dx, ax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000510016A second address: 000000000510017E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F41B1244250h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000510017E second address: 00000000051001F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F41B1011B56h 0x00000011 push eax 0x00000012 jmp 00007F41B1011B4Bh 0x00000017 xchg eax, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b call 00007F41B1011B4Bh 0x00000020 pop eax 0x00000021 pushfd 0x00000022 jmp 00007F41B1011B59h 0x00000027 add ah, 00000006h 0x0000002a jmp 00007F41B1011B51h 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051001F2 second address: 0000000005100263 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244251h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c jmp 00007F41B124424Eh 0x00000011 xchg eax, edi 0x00000012 pushad 0x00000013 mov dh, ch 0x00000015 mov edi, 2144F0EEh 0x0000001a popad 0x0000001b push eax 0x0000001c jmp 00007F41B1244254h 0x00000021 xchg eax, edi 0x00000022 jmp 00007F41B1244250h 0x00000027 test esi, esi 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F41B1244257h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100263 second address: 0000000005100269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100269 second address: 0000000005100285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B124424Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F42234F25E1h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100285 second address: 000000000510028D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, bx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000510028D second address: 0000000005100293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100293 second address: 0000000005100322 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 jmp 00007F41B1011B50h 0x00000017 je 00007F42232BFEADh 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F41B1011B4Dh 0x00000024 sbb ecx, 3378FBF6h 0x0000002a jmp 00007F41B1011B51h 0x0000002f popfd 0x00000030 popad 0x00000031 mov edx, dword ptr [esi+44h] 0x00000034 pushad 0x00000035 mov bh, 8Ch 0x00000037 popad 0x00000038 or edx, dword ptr [ebp+0Ch] 0x0000003b jmp 00007F41B1011B52h 0x00000040 test edx, 61000000h 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F41B1011B4Ah 0x0000004f rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100322 second address: 0000000005100328 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100328 second address: 0000000005100349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F41B1011B4Ch 0x00000009 add ah, FFFFFFA8h 0x0000000c jmp 00007F41B1011B4Bh 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005100349 second address: 000000000510038A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jne 00007F42234F257Eh 0x0000000d jmp 00007F41B1244254h 0x00000012 test byte ptr [esi+48h], 00000001h 0x00000016 jmp 00007F41B1244250h 0x0000001b jne 00007F42234F2569h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000510038A second address: 000000000510038E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000510038E second address: 0000000005100394 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000511005E second address: 00000000051100FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F41B1011B57h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f mov ah, 49h 0x00000011 call 00007F41B1011B57h 0x00000016 mov eax, 71DC891Fh 0x0000001b pop ecx 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f call 00007F41B1011B50h 0x00000024 pushfd 0x00000025 jmp 00007F41B1011B52h 0x0000002a sub ax, 05B8h 0x0000002f jmp 00007F41B1011B4Bh 0x00000034 popfd 0x00000035 pop ecx 0x00000036 mov ebx, 1D5B5CFCh 0x0000003b popad 0x0000003c xchg eax, ebx 0x0000003d jmp 00007F41B1011B4Bh 0x00000042 xchg eax, esi 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F41B1011B50h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051100FD second address: 0000000005110101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005110101 second address: 0000000005110107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005110107 second address: 0000000005110124 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F41B124424Ch 0x00000008 pop eax 0x00000009 mov si, dx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005110124 second address: 000000000511012A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000511012A second address: 0000000005110130 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005110130 second address: 0000000005110134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005110134 second address: 000000000511014B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B124424Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000511014B second address: 000000000511014F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000511014F second address: 0000000005110155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005110155 second address: 0000000005110189 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, bx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c jmp 00007F41B1011B58h 0x00000011 sub ebx, ebx 0x00000013 pushad 0x00000014 mov esi, edi 0x00000016 movsx ebx, ax 0x00000019 popad 0x0000001a test esi, esi 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f mov al, 20h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005110189 second address: 0000000005110235 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F41B1244253h 0x00000008 sbb ax, 1A5Eh 0x0000000d jmp 00007F41B1244259h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov esi, 06176B27h 0x0000001a popad 0x0000001b je 00007F42234DA40Eh 0x00000021 pushad 0x00000022 mov dx, ax 0x00000025 call 00007F41B1244254h 0x0000002a mov cx, D321h 0x0000002e pop ecx 0x0000002f popad 0x00000030 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000037 pushad 0x00000038 movsx edi, ax 0x0000003b mov esi, 40E64F1Bh 0x00000040 popad 0x00000041 mov ecx, esi 0x00000043 jmp 00007F41B124424Eh 0x00000048 je 00007F42234DA3DEh 0x0000004e pushad 0x0000004f push ecx 0x00000050 jmp 00007F41B124424Dh 0x00000055 pop eax 0x00000056 mov cx, dx 0x00000059 popad 0x0000005a test byte ptr [77436968h], 00000002h 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 mov ebx, eax 0x00000066 mov di, cx 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005110235 second address: 0000000005110252 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F42232A7CB6h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 movzx esi, dx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005110252 second address: 000000000511025D instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 mov edx, eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000511025D second address: 000000000511026D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov edx, dword ptr [ebp+0Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000511026D second address: 0000000005110271 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005110271 second address: 0000000005110277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005110277 second address: 000000000511027D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000511027D second address: 0000000005110281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005110281 second address: 00000000051102C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1244254h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F41B1244250h 0x00000011 push eax 0x00000012 pushad 0x00000013 call 00007F41B1244251h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051102C1 second address: 0000000005110333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dl, 94h 0x00000007 popad 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F41B1011B56h 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushfd 0x00000014 jmp 00007F41B1011B4Ah 0x00000019 xor eax, 337EDE28h 0x0000001f jmp 00007F41B1011B4Bh 0x00000024 popfd 0x00000025 popad 0x00000026 mov bl, al 0x00000028 popad 0x00000029 push eax 0x0000002a jmp 00007F41B1011B52h 0x0000002f xchg eax, ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F41B1011B57h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005110333 second address: 0000000005110356 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 mov edi, 645147A6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push dword ptr [ebp+14h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F41B124424Fh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005110356 second address: 000000000511035A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 000000000511035A second address: 0000000005110360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005110360 second address: 0000000005110369 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 5FE1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 0000000005110395 second address: 00000000051103E8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F41B1244256h 0x00000008 and cx, 3A08h 0x0000000d jmp 00007F41B124424Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov ebx, ecx 0x00000017 popad 0x00000018 pop ebx 0x00000019 pushad 0x0000001a mov esi, 2902E877h 0x0000001f jmp 00007F41B124424Ch 0x00000024 popad 0x00000025 mov esp, ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F41B124424Ah 0x00000030 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051103E8 second address: 00000000051103F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F41B1011B4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051103F7 second address: 00000000051103FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	RDTSC instruction interceptor: First address: 00000000051103FD second address: 0000000005110401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Special instruction interceptor: First address: 000000000075DA9C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Special instruction interceptor: First address: 000000000075DA08 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Special instruction interceptor: First address: 0000000000988590 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Special instruction interceptor: First address: 0000000000900368 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 00000000004DDA9C instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 00000000004DDA08 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 0000000000708590 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 0000000000680368 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 000000000114DA9C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 000000000114DA08 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 0000000001378590 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 00000000012F0368 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Special instruction interceptor: First address: 000000000018DA87 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Special instruction interceptor: First address: 000000000018DBA8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Special instruction interceptor: First address: 000000000018DAA9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Special instruction interceptor: First address: 000000000035EE7A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Special instruction interceptor: First address: 00000000003C9A5E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Special instruction interceptor: First address: 0000000000194E5E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Special instruction interceptor: First address: 0000000000194BB5 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Memory allocated: 5170000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Memory allocated: 54E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Memory allocated: 74E0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

Code function: 0_2_050A0BD4 rdtsc

0_2_050A0BD4

Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe

Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1294	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1539	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1684	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1648	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Window / User API: threadDelayed 4552

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\b2H5rX9tWHjbJEBjMEvH.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\61EWU8OcULp0D6CDdq0e.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\well[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\ladas[1].exe	Jump to dropped file

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess

graph_0-74838

Source: C:\Users\user\Desktop\jk98mGM6JH.exe TID: 6636	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe TID: 5236	Thread sleep count: 111 > 30	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe TID: 5836	Thread sleep time: -36018s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe TID: 6672	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe TID: 5236	Thread sleep count: 74 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3184	Thread sleep count: 100 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3184	Thread sleep time: -200100s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6960	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5280	Thread sleep count: 73 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3080	Thread sleep count: 1294 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3080	Thread sleep time: -2589294s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2444	Thread sleep count: 1539 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2444	Thread sleep time: -3079539s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3816	Thread sleep count: 1684 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3816	Thread sleep time: -3369684s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5920	Thread sleep count: 1648 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5920	Thread sleep time: -3297648s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2268	Thread sleep time: -38019s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3472	Thread sleep time: -46023s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1432	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5160	Thread sleep count: 71 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3224	Thread sleep time: -50025s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6368	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1804	Thread sleep time: -50025s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1464	Thread sleep count: 103 > 30
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe TID: 5092	Thread sleep time: -45520s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe TID: 8380	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe

Thread sleep count: Count: 4552 delay: -10

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0061C000 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,__Mtx_unlock,	0_2_0061C000
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_006EB3B5 recv,FindFirstFileExW,	0_2_006EB3B5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_0039C000 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,__Mtx_unlock,	10_2_0039C000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_0046B3B5 recv,FindFirstFileExW,	10_2_0046B3B5

Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe

Thread delayed: delay time: 922337203685477

Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: jk98mGM6JH.exe, 00000000.00000003.2199073228.000000000604D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nickname.utiitsl.comVMware20,1169648755
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ra Change Transaction PasswordVMware20,11696487552
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: jk98mGM6JH.exe, 00000000.00000003.2199073228.000000000604D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: jk98mGM6JH.exe, 00000000.00000003.2208291188.0000000006040000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMCitrio
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: vmware
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000071E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000EM
Source: RageMP131.exe, 00000022.00000002.2657858021.0000000000660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lhzl\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: jk98mGM6JH.exe, 00000000.00000003.2199073228.000000000604D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .utiitsl.comVMware20,1169648755
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,1169648755
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: jk98mGM6JH.exe, 00000000.00000003.2203839905.0000000006030000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2206621281.0000000006038000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PREFER~2KPreferencesLGFaviconsgkGAyEwjLgMyw6tzUlM8BEgYIABABIBAyEwjgueKkncrr444BEgYIABABIBAyFAinx8vZpLm+gcMBEgcIARABIJBgMhII5s79rcCI/IJ+EgYIABABIBAyEgjozNnlpJyeyzkSBggAEAEgEDIWCJiYntn49dXkggESCQgAEAEggICACHoCCACCAQIYAA==","saved_system_profile_hash":"1C7CAA303FB4F30A304BA4E68CF94DA878BD3A61","stats_buildtime":"1696412494","stats_version":"117.0.2045.55-64","system_crash_count":0},"unsent_log_metadata":{"initial_logs":{"sent_samples_count":0,"unsent_persisted_size_in_kb":0,"unsent_samples_count":0},"ongoing_logs":{"sent_samples_count":0,"unsent_persisted_size_in_kb":0,"unsent_samples_count":0}}},"variations_compressed_seed":"H4sIAAAAAAAAAN1ca2/juJL9K4t8HTmj9yMX+8Fxko5n8vDETvruvX0RyBJtK5EljSQn7R3Mf99TpJ62JbtngcXFAoOeSKwqFovFqlMk5T/ORnG0CJbjq+zs4uyPb2fXo+m3s4tvZ5PB00CRbdWw5IEyUBRpMrga6Kpm2wN1YH47k0DqL1lB+3dQqLKsaGhUZKl4YRi2BmateFY02zHxbIhn2dY1E60Ds3h2FFs3IcAoGGTLcNAdRBQUIJEVg/ovCXRTUepndOmYat2jrNqqBuWNgaGWfVqqYuH/A7XSSjYMFTLKZ4wZnSoDq3yWLctBu1VqqSoq0Tvls2kackMH2VC0hk6yY6kauAdK1YEOJdCBUz5rjqnXCsiOI9ty3S7bjmWQ0fkccAYVJE2NYXm7oaGpGZZBZqsZFINmRi/NhkE1JoKGaDoNszmOabSeDdNsdoAhqa2JxMTaA32gVAQwqd4QAI0UvWkTXdZhkfoZE6U0TaBamt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+
Source: MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: jk98mGM6JH.exe, 00000000.00000003.2196455155.0000000006039000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZx
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000s\user\AppData\Local\Temp
Source: jk98mGM6JH.exe, 00000000.00000003.2199073228.000000000604D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000003.2509698184.000000000075F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}N
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: jk98mGM6JH.exe, 00000000.00000003.2201571662.000000000602C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gkGAyEwjLgMyw6tzUlM8BEgYIABABIBAyEwjgueKkncrr444BEgYIABABIBAyFAinx8vZpLm+gcMBEgcIARABIJBgMhII5s79rcCI/IJ+EgYIABABIBAyEgjozNnlpJyeyzkSBggAEAEgEDIWCJiYntn49dXkggESCQgAEAEggICACHoCCACCAQIYAA==","saved_system_profile_hash":"1C7CAA303FB4F30A304BA4E68CF94DA878BD3A61","stats_buildtime":"1696412494","stats_version":"117.0.2045.55-64","system_crash_count":0},"unsent_log_metadata":{"initial_logs":{"sent_samples_count":0,"unsent_persisted_size_in_kb":0,"unsent_samples_count":0},"ongoing_logs":{"sent_samples_count":0,"unsent_persisted_size_in_kb":0,"unsent_samples_count":0}}},"variations_compressed_seed":"H4sIAAAAAAAAAN1ca2/juJL9K4t8HTmj9yMX+8Fxko5n8vDETvruvX0RyBJtK5EljSQn7R3Mf99TpJ62JbtngcXFAoOeSKwqFovFqlMk5T/ORnG0CJbjq+zs4uyPb2fXo+m3s4tvZ5PB00CRbdWw5IEyUBRpMrga6Kpm2wN1YH47k0DqL1lB+3dQqLKsaGhUZKl4YRi2BmateFY02zHxbIhn2dY1E60Ds3h2FFs3IcAoGGTLcNAdRBQUIJEVg/ovCXRTUepndOmYat2jrNqqBuWNgaGWfVqqYuH/A7XSSjYMFTLKZ4wZnSoDq3yWLctBu1VqqSoq0Tvls2kackMH2VC0hk6yY6kauAdK1YEOJdCBUz5rjqnXCsiOI9ty3S7bjmWQ0fkccAYVJE2NYXm7oaGpGZZBZqsZFINmRi/NhkE1JoKGaDoNszmOabSeDdNsdoAhqa2JxMTaA32gVAQwqd4QAI0UvWkTXdZhkfoZE6U0TaBamt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7ar
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.00000000010E2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: jk98mGM6JH.exe, 00000000.00000002.2656900421.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 0000000A.00000002.3051572033.000000000065E000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000D.00000002.2541378300.00000000012CE000.00000040.00000001.01000000.00000007.sdmp, zqdrYwv5fC6zkQ9Tresm.exe, 00000019.00000002.2646185724.0000000000316000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000022.00000002.2671590915.00000000012CE000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r global passwords blocklistVMware20,11696487552
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: formVMware20,11696487552
Source: jk98mGM6JH.exe, 00000000.00000002.2670860055.00000000010DD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2588693585.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2586382834.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2514029667.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2582587481.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2591400353.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2603704872.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2571175674.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2605609465.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2551332362.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: RageMP131.exe, 00000022.00000003.2549203345.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rootpagecomVMware20,11696487552o
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696487552
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: RageMP131.exe, 0000000D.00000002.2536747684.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_E8D9B274
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: jk98mGM6JH.exe, 00000000.00000002.2670860055.000000000109B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: xVBoxService.exe
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: VMWare
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696487552
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: RageMP131.exe, 0000000D.00000002.2536747684.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000J\
Source: jk98mGM6JH.exe, 00000000.00000003.2199073228.000000000604D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: billing_address_id.comVMware20,11696487
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696H0
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000077E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWn
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487
Source: jk98mGM6JH.exe, 00000000.00000002.2670860055.00000000010BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: RageMP131.exe, 0000000D.00000002.2536747684.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWa
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: jk98mGM6JH.exe, 00000000.00000003.2206621281.0000000006038000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}efault_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT087cq/n0b4cx5g+QK3FvYl+MX6lBiIKAgvXttf1DH+989/DfjSv6Bq3DYuxcAa55qtt7c5CvCG+LwRguGiK4StuVCVc6XgB5WXXwqsj3qDuW4Cf/pUPGulNsSUbVjnJXLSDRa6CR/hKQBmFkJLHQQsYPMFLA0wE+qP3/8dP8jfiPM3Ft4I0gGtrBhve6DpxPdSGSe6LyTLaksmvPj6AByWNap2XijrDgRIkyxnvOenLXHtAupwODCcM8S8KwJktambXH7du0NQvoKDbZnzDWV9XluhgbnLCK/NOuMauHTKJlXFKh4UcM2Nd34B1ruTNoazRsc2VUyvcK0LuDb25m1UYYMsXMBYBeS95xZmIu0Mjueg/abgcwHkROSgEsMCUZwAidB1CX96+giihcXq1JOPZpqawYXgXQSmbf1UUBHCa+KhAhsGPEmo2b2WlIsP+SG8/MNLfBqrpOYMBxJxQOpx9ZnUwE97DqoY/nhJYSwwTgEyYc8bddtrewuzAB+9DfpEpTdfQT/cxR8AMzo9KKn5+oPbgH+UVm/AagvIhYJqEfRMxf5ABhyQsPtNJNladC+rIsDHZYhNYNA8Cs9pW+PZgATFXFTpdCoCBk2mA6zaYBYbwI1xlSuCtGPU/Rbd34BVMWyoS5uIDM+nfN4qG8NY6ugTd4qX4ZPRQ8d92ROotox3W+cbhjJ0UBXIO/SH3iagkaPKm2TR01+OMarxDkQf+hHBQ98UfTZge+UFl/DF/WSFYRV96ZXXwEMtsIWiJXSuH/iW/L5FNWzZJaPpTqrBleGkVFGXkVYLj6jsnkDuew56AWPnJ22VSfrESy8aJKTCO27VEHSVPJdl8AJQfOAbEtPWbXFtRvjZFNI9XoaaTYDjUrZsv9ruQWYofdQcvnl8RCl+hHQiO0ZRuJxFlb0PmX0WJeID100wGgStEsmy1hYFYDby1j1jz30plwP67QanQ8d8IgM7UJ1K+Ebj+Ib/Y1MaVoAe3E4vo4SSTPjtJlWgiB7iey44K8v3hQpEWyYRV7DPKo2bFqJL8LOq9uHVY8oaTTmTOvDKfLlApDIr8s7C13s+fEqozzwdJIyNFpQpwgZTX/g+HlyqNvjqAsy29X5pUV9au598WqMToJ3A/lfJ0gIYEBOlNrjd4kzwIB4hXwtgj1m5F0CsblnjVpyOSytDBOX97qCqsKm9L8JK9FJlFyllzgrYgc3+KKblk6G4EOmgeGzpq4R
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: jk98mGM6JH.exe, 00000000.00000003.2199073228.000000000604D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ebrokers.co.inVMware20,11696487552d
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: jk98mGM6JH.exe, 00000000.00000003.2199073228.000000000604D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s.portal.azure.comVMware20,11696487552
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: jk98mGM6JH.exe, jk98mGM6JH.exe, 00000000.00000002.2656900421.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 0000000A.00000002.3051572033.000000000065E000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000D.00000002.2541378300.00000000012CE000.00000040.00000001.01000000.00000007.sdmp, zqdrYwv5fC6zkQ9Tresm.exe, 00000019.00000002.2646185724.0000000000316000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000022.00000002.2671590915.00000000012CE000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000003.2509698184.0000000000757000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Hyper-V (guest)
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: comVMware20,11696487552o
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,116p-
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.00000000010E2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: RageMP131.exe, 0000000D.00000002.2536747684.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_E8D9B274)S
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.00000000010E2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: jk98mGM6JH.exe, 00000000.00000003.2203839905.0000000006030000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2206621281.0000000006038000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gkGAyEwjLgMyw6tzUlM8BEgYIABABIBAyEwjgueKkncrr444BEgYIABABIBAyFAinx8vZpLm+gcMBEgcIARABIJBgMhII5s79rcCI/IJ+EgYIABABIBAyEgjozNnlpJyeyzkSBggAEAEgEDIWCJiYntn49dXkggESCQgAEAEggICACHoCCACCAQIYAA==","saved_system_profile_hash":"1C7CAA303FB4F30A304BA4E68CF94DA878BD3A61","stats_buildtime":"1696412494","stats_version":"117.0.2045.55-64","system_crash_count":0},"unsent_log_metadata":{"initial_logs":{"sent_samples_count":0,"unsent_persisted_size_in_kb":0,"unsent_samples_count":0},"ongoing_logs":{"sent_samples_count":0,"unsent_persisted_size_in_kb":0,"unsent_samples_count":0}}},"variations_compressed_seed":"H4sIAAAAAAAAAN1ca2/juJL9K4t8HTmj9yMX+8Fxko5n8vDETvruvX0RyBJtK5EljSQn7R3Mf99TpJ62JbtngcXFAoOeSKwqFovFqlMk5T/ORnG0CJbjq+zs4uyPb2fXo+m3s4tvZ5PB00CRbdWw5IEyUBRpMrga6Kpm2wN1YH47k0DqL1lB+3dQqLKsaGhUZKl4YRi2BmateFY02zHxbIhn2dY1E60Ds3h2FFs3IcAoGGTLcNAdRBQUIJEVg/ovCXRTUepndOmYat2jrNqqBuWNgaGWfVqqYuH/A7XSSjYMFTLKZ4wZnSoDq3yWLctBu1VqqSoq0Tvls2kackMH2VC0hk6yY6kauAdK1YEOJdCBUz5rjqnXCsiOI9ty3S7bjmWQ0fkccAYVJE2NYXm7oaGpGZZBZqsZFINmRi/NhkE1JoKGaDoNszmOabSeDdNsdoAhqa2JxMTaA32gVAQwqd4QAI0UvWkTXdZhkfoZE6U0TaBamt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7ar
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696487552
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000003.2509698184.000000000075F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}6
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pageformVMware20,11696487552
Source: jk98mGM6JH.exe, 00000000.00000002.2670860055.00000000010DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_E8D9B274
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: MPGPH131.exe, 00000009.00000003.2193634968.0000000000E48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}i
Source: jk98mGM6JH.exe, 00000000.00000003.2149654269.00000000010AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}e
Source: MPGPH131.exe, 0000000A.00000002.3121450909.00000000072D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\G
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.0000000000759000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}O
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: RageMP131.exe, 0000000D.00000002.2536747684.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}L
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: jk98mGM6JH.exe, 00000000.00000003.2199073228.000000000604D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .comVMware20,11696487
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: VBoxService.exe
Source: jk98mGM6JH.exe, 00000000.00000002.2670860055.000000000109B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o.inVMware20,11696487552~
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: jk98mGM6JH.exe, 00000000.00000003.2195881504.0000000006057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: jk98mGM6JH.exe, 00000000.00000003.2201571662.000000000602C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PREFER~2KPreferencesLGFaviconsgkGAyEwjLgMyw6tzUlM8BEgYIABABIBAyEwjgueKkncrr444BEgYIABABIBAyFAinx8vZpLm+gcMBEgcIARABIJBgMhII5s79rcCI/IJ+EgYIABABIBAyEgjozNnlpJyeyzkSBggAEAEgEDIWCJiYntn49dXkggESCQgAEAEggICACHoCCACCAQIYAA==","saved_system_profile_hash":"1C7CAA303FB4F30A304BA4E68CF94DA878BD3A61","stats_buildtime":"1696412494","stats_version":"117.0.2045.55-64","system_crash_count":0},"unsent_log_metadata":{"initial_logs":{"sent_samples_count":0,"unsent_persisted_size_in_kb":0,"unsent_samples_count":0},"ongoing_logs":{"sent_samples_count":0,"unsent_persisted_size_in_kb":0,"unsent_samples_count":0}}},"variations_compressed_seed":"H4sIAAAAAAAAAN1ca2/juJL9K4t8HTmj9yMX+8Fxko5n8vDETvruvX0RyBJtK5EljSQn7R3Mf99TpJ62JbtngcXFAoOeSKwqFovFqlMk5T/ORnG0CJbjq+zs4uyPb2fXo+m3s4tvZ5PB00CRbdWw5IEyUBRpMrga6Kpm2wN1YH47k0DqL1lB+3dQqLKsaGhUZKl4YRi2BmateFY02zHxbIhn2dY1E60Ds3h2FFs3IcAoGGTLcNAdRBQUIJEVg/ovCXRTUepndOmYat2jrNqqBuWNgaGWfVqqYuH/A7XSSjYMFTLKZ4wZnSoDq3yWLctBu1VqqSoq0Tvls2kackMH2VC0hk6yY6kauAdK1YEOJdCBUz5rjqnXCsiOI9ty3S7bjmWQ0fkccAYVJE2NYXm7oaGpGZZBZqsZFINmRi/NhkE1JoKGaDoNszmOabSeDdNsdoAhqa2JxMTaA32gVAQwqd4QAI0UvWkTXdZhkfoZE6U0TaBamt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+
Source: Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.0000000000FB2000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: jk98mGM6JH.exe, 00000000.00000003.2202873339.0000000006058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ccount.microsoft.com/profileVMware20,11696487552u
Source: jk98mGM6JH.exe, 00000000.00000002.2670860055.00000000010A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_di

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_050D0955 Start: 050D0B86 End: 050D0946	0_2_050D0955
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_05120729 Start: 05120B12 End: 05120759	0_2_05120729
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_05180BA9 Start: 05180CAE End: 05180BB8	0_2_05180BA9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_04D70557 Start: 04D70C6F End: 04D70568	10_2_04D70557
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_04D70000 Start: 04D70087 End: 04D70061	10_2_04D70000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_04D90D66 Start: 04D90E06 End: 04D90E5D	10_2_04D90D66

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

Code function: 0_2_050A0BD4 rdtsc

0_2_050A0BD4

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_0062FA70 mov eax, dword ptr fs:[00000030h]	0_2_0062FA70
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Code function: 0_2_00624AB0 mov eax, dword ptr fs:[00000030h]	0_2_00624AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_003A4AB0 mov eax, dword ptr fs:[00000030h]	10_2_003A4AB0

Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{853BCFF5-355A-4137-B729-011A9504EFE0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{7A9DF558-D1DA-4A98-9FEA-833CADC1CE86}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{58F3DD1F-6B96-4659-9F5C-C3B235BF6A97}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware	Jump to behavior

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe "C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe"	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe "C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe "C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.youtube.com/
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.linkedin.com/login
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.google.com/
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

Source: jk98mGM6JH.exe, 00000000.00000003.2522548719.0000000006A2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2805785713.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3533826611.0000000000CC2000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: jk98mGM6JH.exe, jk98mGM6JH.exe, 00000000.00000002.2656900421.00000000008DE000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 0000000A.00000002.3051572033.000000000065E000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: @Program Manager

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

Code function: 0_2_006ECCDC GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_006ECCDC

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{853BCFF5-355A-4137-B729-011A9504EFE0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{853BCFF5-355A-4137-B729-011A9504EFE0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{853BCFF5-355A-4137-B729-011A9504EFE0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{853BCFF5-355A-4137-B729-011A9504EFE0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{853BCFF5-355A-4137-B729-011A9504EFE0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{853BCFF5-355A-4137-B729-011A9504EFE0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{853BCFF5-355A-4137-B729-011A9504EFE0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{853BCFF5-355A-4137-B729-011A9504EFE0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{853BCFF5-355A-4137-B729-011A9504EFE0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{7A9DF558-D1DA-4A98-9FEA-833CADC1CE86}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{7A9DF558-D1DA-4A98-9FEA-833CADC1CE86}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{7A9DF558-D1DA-4A98-9FEA-833CADC1CE86}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{7A9DF558-D1DA-4A98-9FEA-833CADC1CE86}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{7A9DF558-D1DA-4A98-9FEA-833CADC1CE86}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{7A9DF558-D1DA-4A98-9FEA-833CADC1CE86}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{7A9DF558-D1DA-4A98-9FEA-833CADC1CE86}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{7A9DF558-D1DA-4A98-9FEA-833CADC1CE86}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{7A9DF558-D1DA-4A98-9FEA-833CADC1CE86}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{58F3DD1F-6B96-4659-9F5C-C3B235BF6A97}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{58F3DD1F-6B96-4659-9F5C-C3B235BF6A97}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{58F3DD1F-6B96-4659-9F5C-C3B235BF6A97}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{58F3DD1F-6B96-4659-9F5C-C3B235BF6A97}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{58F3DD1F-6B96-4659-9F5C-C3B235BF6A97}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{58F3DD1F-6B96-4659-9F5C-C3B235BF6A97}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{58F3DD1F-6B96-4659-9F5C-C3B235BF6A97}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{58F3DD1F-6B96-4659-9F5C-C3B235BF6A97}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{58F3DD1F-6B96-4659-9F5C-C3B235BF6A97}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe

Registry value created: TamperProtection 0

Exclude list of file types from scheduled, custom, and real-time scanning

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Registry value created: Exclusions_Extensions 1	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry value created: Exclusions_Extensions 1	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry value created: Exclusions_Extensions 1	Jump to behavior

Modifies Group Policy settings

Source: C:\Users\user\Desktop\jk98mGM6JH.exe

File written: C:\Windows\System32\GroupPolicy\GPT.INI

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 0000000A.00000002.3050100739.0000000000391000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2269427007.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2099303367.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2665861162.0000000000E51000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.2508379808.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2670860055.00000000010CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2539923574.0000000001001000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2159594281.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2670001934.0000000001001000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2645200426.0000000000611000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2161145290.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jk98mGM6JH.exe PID: 1832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 3968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 9716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cr6QVRpzwqhYjtnCxFSW.exe PID: 10132, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\2DNcPleZ9unxLWQic11TF6k.zip, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: jk98mGM6JH.exe, 00000000.00000003.2206621281.0000000006038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: jk98mGM6JH.exe, 00000000.00000003.2206621281.0000000006038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: jk98mGM6JH.exe, 00000000.00000003.2206621281.0000000006038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storage
Source: jk98mGM6JH.exe, 00000000.00000003.2206621281.0000000006038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: jk98mGM6JH.exe, 00000000.00000003.2206621281.0000000006038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: jk98mGM6JH.exe, 00000000.00000003.2206621281.0000000006038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: jk98mGM6JH.exe, 00000000.00000003.2206621281.0000000006038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: jk98mGM6JH.exe, 00000000.00000003.2206621281.0000000006038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: jk98mGM6JH.exe, 00000000.00000003.2206621281.0000000006038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: jk98mGM6JH.exe, 00000000.00000003.2208633321.0000000006040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: firefox.exe, 0000002A.00000003.2865926671.0000025D9DB81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keysToRemoveB

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\LocalPrefs.json	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\formhistory.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\signons.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\logins.json	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\signons.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\places.sqlite	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\jk98mGM6JH.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match

File source: Process Memory Space: jk98mGM6JH.exe PID: 1832, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 0000000A.00000002.3050100739.0000000000391000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2269427007.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2099303367.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2665861162.0000000000E51000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.2508379808.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2670860055.00000000010CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2539923574.0000000001001000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2159594281.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2670001934.0000000001001000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2645200426.0000000000611000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2161145290.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jk98mGM6JH.exe PID: 1832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 3968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 9716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cr6QVRpzwqhYjtnCxFSW.exe PID: 10132, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\2DNcPleZ9unxLWQic11TF6k.zip, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Drive-by Compromise	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	81 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Extra Window Memory Injection	3 Obfuscated Files or Information	Security Account Manager	225 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	12 Process Injection	12 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	741 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Bypass User Account Control	Cached Domain Credentials	271 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	271 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
jk98mGM6JH.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	42%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	42%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://pki.goog/repository/0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://www.amazon.co.uk/	0%	URL Reputation	safe
http://185.215.113.46/cost/fu.exe22jBF8	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/fu.exegerta	100%	Avira URL Cloud	malware
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
https://www.bbc.co.uk/	0%	Avira URL Cloud	safe
http://185.215.113.46/cost/well.exeAppData	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/fu.exek	100%	Avira URL Cloud	malware
http://127.0.0.1:	0%	Avira URL Cloud	safe
https://accounts.google.comC:	0%	Avira URL Cloud	safe
http://185.215.113.46/cost/well.exe	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/fu.exe	100%	Avira URL Cloud	malware
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr1/gsr1.crl0;	0%	Avira URL Cloud	safe
http://185.215.113.46/cost/fu.exen	100%	Avira URL Cloud	malware
http://185.215.113.46/mine/plaza.exet	100%	Avira URL Cloud	malware
https://www.youtube.com--attempting-deelevation	0%	Avira URL Cloud	safe
http://mozilla.o	0%	Avira URL Cloud	safe
https://www.youtube.comC:	0%	Avira URL Cloud	safe
https://accounts.google.comxv	0%	Avira URL Cloud	safe
http://185.215.113.46/cost/well.exenBuil6N	100%	Avira URL Cloud	malware
http://13.46/cexe	0%	Avira URL Cloud	safe
https://accounts.google.comeo	0%	Avira URL Cloud	safe
http://pki.goog/gsr1/gsr1.crt02	0%	Avira URL Cloud	safe
http://185.215.113.46/mine/plaza.exe	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/niks.exed	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/ladas.exel	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/well.exe6	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/fu.exegertaA	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1812329813&timestamp=1708035730584	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	jk98mGM6JH.exe, 00000000.00000003.2182856234.0000000006048000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2189976218.0000000006075000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185089579.0000000006061000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2551384293.0000000005C1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2576867180.0000000005C46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2553718200.0000000005D27000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	jk98mGM6JH.exe, 00000000.00000003.2182856234.0000000006048000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2189976218.0000000006075000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185089579.0000000006061000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2551384293.0000000005C1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2576867180.0000000005C46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2553718200.0000000005D27000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/fu.exe22jBF8	RageMP131.exe, 00000022.00000002.2657858021.000000000066B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000002A.00000003.3013298836.0000025DA3316000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2864530719.0000025DA0F18000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/fu.exek	RageMP131.exe, 0000000D.00000002.2536747684.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%	MPGPH131.exe, 0000000A.00000002.3120615821.0000000007226000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3000180526.0000025DA7482000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2867490495.0000025D9D898000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2874737929.0000025D9C496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2867490495.0000025D9D8BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2889197168.0000025D9CB31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2880089736.0000025DA284E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2862799593.0000025DA1087000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000002A.00000003.2871233509.0000025D9CB97000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr	Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2668233517.00000000014A1000.00000040.00000001.01000000.0000000D.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000000.2348106157.0000000001743000.00000080.00000001.01000000.0000000D.sdmp	false		high
https://www.leboncoin.fr/	firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mozilla.o	firefox.exe, 0000002A.00000003.2838482055.0000025DA704D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.46/cost/well.exeAppData	jk98mGM6JH.exe, 00000000.00000002.2761057014.0000000006083000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://t.me/risepro	RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/spocs	firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000002A.00000003.2575167409.0000025D9D449000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/risepro_botuZ	RageMP131.exe, 0000000D.00000002.2536747684.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	firefox.exe, 00000029.00000002.2400183079.000001CFAD7C0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2559294871.0000025D9D690000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2578860426.0000025D9D690000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2625854245.0000025D9D690000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2671231461.0000025D9D682000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2676333857.0000025D9D69E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2662734500.0000025D9D682000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/fu.exegerta	MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000002A.00000003.2575885925.0000025D9CBED000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/mine/plaza.exet	MPGPH131.exe, 0000000A.00000003.2551332362.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000002A.00000003.2865926671.0000025D9DB5C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/o?iz	MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D10000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000002A.00000003.2480242544.0000025D98800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2857684648.0000025DA12A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2480764925.0000025D98A07000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2961467272.0000025DA1156000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2482353490.0000025D98A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2489554800.0000025D94EBD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com	firefox.exe, 0000002A.00000003.2874498443.0000025D9C4A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mitmdetection.services.mozilla.com	firefox.exe, 0000002A.00000003.2844586974.0000025DA6B7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com--attempting-deelevation	firefox.exe, 00000029.00000002.2400183079.000001CFAD7C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000002A.00000003.2480242544.0000025D98800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2480764925.0000025D98A07000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000002A.00000003.2871233509.0000025D9CB97000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/fu.exe	jk98mGM6JH.exe, 00000000.00000002.2670860055.0000000001104000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000002.2761057014.000000000605F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2588693585.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2586382834.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2514029667.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2582587481.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2591400353.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2603704872.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2571175674.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2605609465.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2551332362.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2657858021.000000000066B000.00000004.00000020.00020000.00000000.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000077E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.amazon.com/	firefox.exe, 0000002A.00000003.2569951826.0000025D9D793000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000002A.00000003.2575167409.0000025D9D449000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	jk98mGM6JH.exe, 00000000.00000003.2182856234.0000000006048000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2189976218.0000000006075000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185089579.0000000006061000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2551384293.0000000005C1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2576867180.0000000005C46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2553718200.0000000005D27000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORT	jk98mGM6JH.exe, 00000000.00000002.2670860055.00000000010CC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2657858021.000000000066B000.00000004.00000020.00020000.00000000.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000071E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.linkedin.com/login_s	PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pki.goog/repository/0	firefox.exe, 0000002A.00000003.2874737929.0000025D9C483000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	jk98mGM6JH.exe, 00000000.00000003.2182856234.0000000006048000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2189976218.0000000006075000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185089579.0000000006061000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185729135.0000000006063000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185578857.0000000006063000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2551384293.0000000005C1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2576867180.0000000005C46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2553718200.0000000005D27000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	firefox.exe, 0000002A.00000003.2569951826.0000025D9D793000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2806719806.0000025D995D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bbc.co.uk/	firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3013298836.0000025DA3316000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2864530719.0000025DA0F18000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:	firefox.exe, 0000002A.00000003.2855426882.0000025DA2EF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3017006577.0000025DA2EF0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.youtube.com/s/desktop/bdb59273/jsbin/web-animations-next-lite.min.vflset/web-animations-	firefox.exe, 0000002A.00000003.3000180526.0000025DA747D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000002A.00000003.2668225406.0000025D95BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2951582876.0000025D95B83000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/	MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000C8F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2657858021.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2657858021.000000000066B000.00000004.00000020.00020000.00000000.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000077E000.00000004.00000020.00020000.00000000.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.0000000000767000.00000004.00000020.00020000.00000000.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.0000000000773000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000002A.00000003.2868065030.0000025D9D7D3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com/	firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/fu.exen	jk98mGM6JH.exe, 00000000.00000002.2761057014.000000000605F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://accounts.google.comC:	PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3529684760.0000000000990000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.2443870042.0000020FCB850000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io:443/widget/demo/191.96.227.222	jk98mGM6JH.exe, 00000000.00000002.2670860055.000000000105E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2514029667.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2571175674.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2588693585.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2591400353.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2605609465.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2582587481.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2603704872.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2586382834.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2551332362.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.0000000000773000.00000004.00000020.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/	firefox.exe, 0000002A.00000003.2564308495.0000025DA2D57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2864530719.0000025DA0F18000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2856459014.0000025DA2D57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2878599347.0000025DA2D57000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/well.exe	RageMP131.exe, 00000022.00000002.2657858021.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.iqiyi.com/	firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.pki.goog/gsr1/gsr1.crl0;	firefox.exe, 0000002A.00000003.2874737929.0000025D9C483000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=default-theme%40mozilla.org%2Caddons-	firefox.exe, 0000002A.00000003.3017006577.0000025DA2EF0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/riseprom	RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.comC:	firefox.exe, 00000021.00000002.2386659460.000001716F390000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botW	Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000077E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://youtube.com/https://www.youtube.com/youtube.comQ	MPGPH131.exe, 0000000A.00000003.2516733304.0000000005D10000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/ei	MPGPH131.exe, 0000000A.00000002.3106488836.0000000006342000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000002A.00000003.2567909028.0000025DA1292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3001881155.0000025DA740B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2785555547.0000025D9827F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2982409537.0000025D98396000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2877038248.0000025D99B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2851446275.0000025DA3327000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.3004996804.0000025DA7348000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2789678989.0000025D98B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2790125806.0000025D98BF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2805681316.0000025D9889F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2836960295.0000025D983CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2616425023.0000025D988AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2784587168.0000025D98B34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2684449918.0000025D98282000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2805681316.0000025D988B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2755939146.0000025D9492F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2823879379.0000025D988B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2955573200.0000025D98BE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2857902611.0000025DA1285000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2620749654.0000025DA117D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2670258020.0000025D9492F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/risepro_bot&	jk98mGM6JH.exe, 00000000.00000002.2670860055.0000000001104000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://accounts.google.com/Yoc	MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2868987909.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2575167409.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000002A.00000003.2914161348.0000025D9CAF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2868987909.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2575167409.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/s/desktop/bdb59273/jsbin/custom-elements-es5-adapter.vflset/c	firefox.exe, 0000002A.00000003.3000180526.0000025DA747D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://accounts.google.comxv	PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://13.46/cexe	RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/widget/demo/191.96.227.222	Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000071E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com	firefox.exe, 0000002A.00000003.3001881155.0000025DA7405000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/mine/plaza.exe	jk98mGM6JH.exe, 00000000.00000002.2670860055.0000000001104000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000002.2761057014.0000000006083000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2588693585.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2586382834.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2514029667.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2582587481.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2591400353.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2603704872.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2571175674.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2605609465.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2551332362.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3078808474.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3121450909.00000000072D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3120713333.000000000724C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2512497916.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2567719088.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2574783511.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2561440707.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2536830785.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2536747684.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000002A.00000003.2873842339.0000025D9CAFD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/well.exe6	jk98mGM6JH.exe, 00000000.00000002.2761057014.00000000060A9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	jk98mGM6JH.exe, 00000000.00000003.2182856234.0000000006048000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2189976218.0000000006075000.00000004.00000020.00020000.00000000.sdmp, jk98mGM6JH.exe, 00000000.00000003.2185089579.0000000006061000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2551384293.0000000005C1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2576867180.0000000005C46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2553718200.0000000005D27000.00000004.00000020.00020000.00000000.sdmp	false		high
https://accounts.google.comeo	PLO4plFr34jobsiEh08j.exe, 0000000F.00000002.3535890992.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000002A.00000003.2878280004.0000025DA2EB8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.co.uk/	firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000002A.00000003.2888666753.0000025D9CBED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://screenshots.firefox.com/	firefox.exe, 0000002A.00000003.2480764925.0000025D98A07000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search	firefox.exe, 0000002A.00000003.2569951826.0000025D9D793000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2961467272.0000025DA1156000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2482353490.0000025D98A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2489554800.0000025D94EBD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000002A.00000003.2871233509.0000025D9CB97000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pki.goog/gsr1/gsr1.crt02	firefox.exe, 0000002A.00000003.2874737929.0000025D9C483000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.wykop.pl/	firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	false		high
https://twitter.com/	firefox.exe, 0000002A.00000003.2569951826.0000025D9D793000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/s/desktop/bdb59273/jsbin/desktop_polymer.vflset/desktop_polymer.js	firefox.exe, 0000002A.00000003.3000180526.0000025DA747D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/ladas.exel	jk98mGM6JH.exe, 00000000.00000002.2670860055.0000000001104000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.olx.pl/	firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/risepro_bot	Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.000000000077E000.00000004.00000020.00020000.00000000.sdmp, Cr6QVRpzwqhYjtnCxFSW.exe, 00000028.00000002.2650610233.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/complete/search	firefox.exe, 0000002A.00000003.2533774985.0000025DA11BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2540341700.0000025DA11DA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/well.exenBuil6N	RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://getpocket.com/firefox/new_tab_learn_more/	firefox.exe, 0000002A.00000003.2574299512.0000025DA1249000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema./	firefox.exe, 0000002A.00000003.2871233509.0000025D9CB97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://getpocket.com/recommendations	firefox.exe, 0000002A.00000003.3013298836.0000025DA3316000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/widget/demo/191.96.227.222I$	RageMP131.exe, 0000000D.00000002.2536747684.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts	firefox.exe, 0000002A.00000003.2620749654.0000025DA117D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2591997474.0000025DA116F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/niks.exed	RageMP131.exe, 00000022.00000002.2657858021.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts	firefox.exe, 0000002A.00000003.2620749654.0000025DA117D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002A.00000003.2591997474.0000025DA116F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google.com	firefox.exe, 0000002A.00000003.2575167409.0000025D9D438000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/fu.exegertaA	jk98mGM6JH.exe, 00000000.00000002.2670860055.0000000001104000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.amazon.de/	firefox.exe, 0000002A.00000003.2871233509.0000025D9CB46000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.6.158	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.80.110	unknown	United States	15169	GOOGLEUS	false
185.215.113.46	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
172.253.63.84	unknown	United States	15169	GOOGLEUS	false
142.251.40.202	unknown	United States	15169	GOOGLEUS	false
34.117.237.239	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.64.99	unknown	United States	15169	GOOGLEUS	false
172.253.122.84	unknown	United States	15169	GOOGLEUS	false
157.240.241.35	unknown	United States	32934	FACEBOOKUS	false
142.250.81.238	unknown	United States	15169	GOOGLEUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
142.251.40.132	unknown	United States	15169	GOOGLEUS	false
13.225.63.80	unknown	United States	16509	AMAZON-02US	false
142.250.80.1	unknown	United States	15169	GOOGLEUS	false
23.40.179.37	unknown	United States	16625	AKAMAI-ASUS	false
172.217.135.70	unknown	United States	15169	GOOGLEUS	false
40.71.99.188	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.213.40	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
157.240.241.1	unknown	United States	32934	FACEBOOKUS	false
204.79.197.239	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
34.120.208.123	unknown	United States	15169	GOOGLEUS	false
142.251.35.174	unknown	United States	15169	GOOGLEUS	false
142.250.65.234	unknown	United States	15169	GOOGLEUS	false
142.250.65.170	unknown	United States	15169	GOOGLEUS	false
23.199.65.193	unknown	United States	16625	AKAMAI-ASUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
142.250.176.214	unknown	United States	15169	GOOGLEUS	false
34.117.121.53	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
13.107.21.239	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.72.102	unknown	United States	15169	GOOGLEUS	false
52.24.144.241	unknown	United States	16509	AMAZON-02US	false
142.250.80.74	unknown	United States	15169	GOOGLEUS	false
172.253.62.84	unknown	United States	15169	GOOGLEUS	false
144.2.9.1	unknown	Netherlands	14413	LINKEDINUS	false
13.107.42.16	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.251.40.214	unknown	United States	15169	GOOGLEUS	false
13.107.42.14	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
152.199.24.163	unknown	United States	15133	EDGECASTUS	false
142.251.40.138	unknown	United States	15169	GOOGLEUS	false
142.250.80.78	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
31.13.71.7	unknown	Ireland	32934	FACEBOOKUS	false
142.250.80.70	unknown	United States	15169	GOOGLEUS	false
34.160.144.191	unknown	United States	2686	ATGS-MMD-ASUS	false
142.250.72.110	unknown	United States	15169	GOOGLEUS	false
142.250.65.202	unknown	United States	15169	GOOGLEUS	false
142.251.41.4	unknown	United States	15169	GOOGLEUS	false
172.253.115.84	unknown	United States	15169	GOOGLEUS	false
142.250.80.46	unknown	United States	15169	GOOGLEUS	false
34.117.186.192	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
23.96.180.189	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
31.13.71.36	unknown	Ireland	32934	FACEBOOKUS	false
142.250.65.182	unknown	United States	15169	GOOGLEUS	false
13.107.21.200	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
152.195.19.97	unknown	United States	15133	EDGECASTUS	false
142.250.176.206	unknown	United States	15169	GOOGLEUS	false
142.251.41.14	unknown	United States	15169	GOOGLEUS	false
34.117.188.166	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.251.32.100	unknown	United States	15169	GOOGLEUS	false
142.251.40.194	unknown	United States	15169	GOOGLEUS	false
142.251.40.195	unknown	United States	15169	GOOGLEUS	false
142.250.65.214	unknown	United States	15169	GOOGLEUS	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
142.251.35.170	unknown	United States	15169	GOOGLEUS	false
142.250.65.195	unknown	United States	15169	GOOGLEUS	false
34.149.100.209	unknown	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	unknown	United States	15169	GOOGLEUS	false
142.251.40.234	unknown	United States	15169	GOOGLEUS	false
193.233.132.62	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
142.250.80.54	unknown	United States	15169	GOOGLEUS	false
34.107.221.82	unknown	United States	15169	GOOGLEUS	false
142.250.81.227	unknown	United States	15169	GOOGLEUS	false
142.250.64.67	unknown	United States	15169	GOOGLEUS	false
152.199.5.152	unknown	United States	15133	EDGECASTUS	false
142.250.64.65	unknown	United States	15169	GOOGLEUS	false
35.244.181.201	unknown	United States	15169	GOOGLEUS	false
142.250.65.227	unknown	United States	15169	GOOGLEUS	false
142.250.81.234	unknown	United States	15169	GOOGLEUS	false
192.229.211.108	unknown	United States	15133	EDGECASTUS	false
142.251.40.161	unknown	United States	15169	GOOGLEUS	false
172.217.135.9	unknown	United States	15169	GOOGLEUS	false
13.226.34.86	unknown	United States	16509	AMAZON-02US	false
52.12.189.203	unknown	United States	16509	AMAZON-02US	false
142.250.176.195	unknown	United States	15169	GOOGLEUS	false
142.250.176.194	unknown	United States	15169	GOOGLEUS	false
74.125.155.169	unknown	United States	15169	GOOGLEUS	false
142.250.31.84	unknown	United States	15169	GOOGLEUS	false
142.251.35.163	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.6
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1393148
Start date and time:	2024-02-15 23:19:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	53
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	jk98mGM6JH.exe renamed because original name is a hash value
Original Sample Name:	736549a437da8dacb4c1d31c33ba75b8.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@173/969@0/90
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 51% Number of executed functions: 64 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: jk98mGM6JH.exe

Simulations

Behavior and APIs

Time	Type	Description
23:20:06	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
23:20:06	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
23:20:06	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
23:20:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
23:20:32	API Interceptor	68x Sleep call for process: jk98mGM6JH.exe modified
23:21:03	API Interceptor	1748898x Sleep call for process: MPGPH131.exe modified
23:21:12	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.6.158	SxoBZ4iTXS.exe	Get hash	malicious	RisePro Stealer	Browse
	5nFy7LOCpD.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.7800.8466.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.29663.14829.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.6370.3894.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.1905.22029.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	pF4qvp3MTb.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	acQQDjNOw8.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Trojan.Siggen26.6766.1834.3852.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
185.215.113.46	5ws86kuyyj.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46/cost/well.exe
	SecuriteInfo.com.Trojan.Siggen26.6766.4021.25295.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46/cost/well.exe
	SecuriteInfo.com.Trojan.Siggen26.6766.21437.6924.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46/cost/well.exe
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46/cost/well.exe
	1cfxwHmB63.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine, RisePro Stealer, Xmrig	Browse	185.215.113.46/cost/fu.exe
	8vPg8GbGtV.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46/cost/ladas.exe
	file.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse	185.215.113.46/cost/ladas.exe
	Bbd9GbGTz6.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Xmrig	Browse	185.215.113.46/cost/fu.exe
	file.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46/cost/ladas.exe
34.117.237.239	SxoBZ4iTXS.exe	Get hash	malicious	RisePro Stealer	Browse
	5ws86kuyyj.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	5nFy7LOCpD.exe	Get hash	malicious	RisePro Stealer	Browse
	vYuQWLyPe2.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	BdShellExt.DLL	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.7800.8466.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.6370.3894.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.1905.22029.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	SxoBZ4iTXS.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.188.166
	5ws86kuyyj.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.188.166
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.188.166
	erg.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	erg.exe	Get hash	malicious	Trap Stealer	Browse	34.117.186.192
	boletafacturaeletrocinacge.msi	Get hash	malicious	Unknown	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
CLOUDFLARENETUS	Voicemail_Ref-973542.htm	Get hash	malicious	Unknown	Browse	104.21.52.170
	4f Medoc.exe	Get hash	malicious	LummaC	Browse	172.67.154.29
	SxoBZ4iTXS.exe	Get hash	malicious	RisePro Stealer	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.215.138
	https://medium.com/gopenai/how-much-data-from-the-public-internet-is-used-for-training-llms-dff5bc5ebb02	Get hash	malicious	Unknown	Browse	104.18.37.101
	5ws86kuyyj.exe	Get hash	malicious	RisePro Stealer	Browse	172.64.41.3
	file.exe	Get hash	malicious	RisePro Stealer	Browse	1.1.1.1
	https://blog.gopenai.com/how-much-data-from-the-public-internet-is-used-for-training-llms-dff5bc5ebb02?gi=0984607645d1	Get hash	malicious	Unknown	Browse	104.18.37.101
	erg.exe	Get hash	malicious	Unknown	Browse	162.159.137.232
	erg.exe	Get hash	malicious	Trap Stealer	Browse	162.159.138.232
MICROSOFT-CORP-MSN-AS-BLOCKUS	SxoBZ4iTXS.exe	Get hash	malicious	RisePro Stealer	Browse	20.75.60.91
	https://monitor.clickcease.com//tracker/tracker?id=ep2024sVIUFIqUrNt34&adpos=&nw=a&url=//otiunmonisky2m.com/?utm_content=dQPuybqXiH&session_id=gLwochtTuiIHD7q8Saml&id=qiCEG&filter=tlJLHfOfsS-zalXI&lang=fr&locale=FR	Get hash	malicious	Unknown	Browse	20.234.104.33
	5ws86kuyyj.exe	Get hash	malicious	RisePro Stealer	Browse	13.107.9.158
	https://monitor.clickcease.com//tracker/tracker?id=nj2024tVUEFIqArNt03&adpos=&nw=a&url=//otiunmonisky2m.com/?utm_content=vrsuSQtFMv&session_id=BPJNEM1vCwKeJERcuV8s&id=24L79&filter=CbXawfHONB-KdARv&lang=en&locale=GB	Get hash	malicious	Unknown	Browse	20.234.104.33
	file.exe	Get hash	malicious	RisePro Stealer	Browse	13.107.9.158
	https://www.trucknews.com/	Get hash	malicious	Unknown	Browse	13.107.42.14
	Doc Copy - Lingo Construction Services Inc. - RNP58382637F255-1.msg	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	rInquiry__Orderlist.bat	Get hash	malicious	Remcos, DBatLoader	Browse	150.171.43.11
	ETJ.xlsx	Get hash	malicious	Unknown	Browse	13.89.179.11
	ji5zq1gsV7.elf	Get hash	malicious	Unknown	Browse	20.183.203.90
WHOLESALECONNECTIONSNL	SxoBZ4iTXS.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46
	5ws86kuyyj.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46
	file.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46
	com.javxvvpaj.yjpowlihgj.apk	Get hash	malicious	Unknown	Browse	185.215.113.31
	5nFy7LOCpD.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46
	vYuQWLyPe2.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46
	file.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46
	xPcfYU46r0.exe	Get hash	malicious	Amadey	Browse	185.215.113.32
	FV0mIIfKwQ.exe	Get hash	malicious	Amadey, RisePro Stealer, SmokeLoader, Stealc	Browse	185.215.113.46
	SecuriteInfo.com.Win32.TrojanX-gen.7800.8466.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46

Process:	C:\Users\user\Desktop\jk98mGM6JH.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2393600
Entropy (8bit):	7.933479637135835
Encrypted:	false
SSDEEP:	49152:bnzYkijkaP8vRxUoDuBivcf9hKzs3YRHj6hzfaybLaXhjjv8Eb0ybBpa:bnQj2PUoD50Kyl9bLaXN86ZO
MD5:	736549A437DA8DACB4C1D31C33BA75B8
SHA1:	7EB5E89620F4A6DE369A9667133CB2EF01D27ED3
SHA-256:	6FC1848EA0691845F977875FF74A353CBAE23C75011C427720EC37659784860F
SHA-512:	ADA7DCD0EB06696AE6792F7D50CA10165CC55532D31C71F2A7A19B60876E826EC22D4C3604833FF19A36DFF8CAA14AC8BB6BF4372BAFC3A6602BE9849A84E09E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......C.........L.....L.....L.....H.G...H.....H.....H...R.L.....L.....L...............E.....-........Rich..................PE..L....~.e...............".....,........[...........@...........................[.......$...@.................................T...h....p.............................................................................................................. . .`..........................@....rsrc........p... ..................@....idata ............. ..............@... ..+.........."..............@...idnrjgyt.@...p@..:...$..............@...ssvxgfuk......[......^$.............@....taggant.0....[.."...d$.............@...........................................................................................................................................................................................

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7632
Entropy (8bit):	5.164116234326732
Encrypted:	false
SSDEEP:	192:CBMiJl+cbhbVbTbfbRbObtbyEl7nBJA6unSrDtTZdxSofa:CiLcNhnzFSJc1nSrDhZdx+
MD5:	41FE97E13BFB9B86CF409BB7B4D8AB2C
SHA1:	6D38732F17FB747703B7033F882B6E613215793A
SHA-256:	60816A110724BFBBCCB8E87D3E886B8D262304DB5CEF0EB2B188879B97D98810
SHA-512:	07548CCE54C6E6DD2D6FBEE80F7B8F384650830C278695C93CCD4341CB5852BB07A2CD9901DEFDF772EEF91F750A6B33FD939F2F279906F2E4CD054CDB71F7BB
Malicious:	false
Preview:	{"type":"uninstall","id":"77e05644-1077-4a09-8f4f-d11661514336","creationDate":"2024-02-15T23:35:04.505Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

Process:	C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\zqdrYwv5fC6zkQ9Tresm.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	45881
Entropy (8bit):	6.092936984973044
Encrypted:	false
SSDEEP:	768:LDXzgWPsj/qlGJqIY8GB49KX6wi1zNtd450QE69kDzFmjyAKJDSgzMMd6qD47u3/:L/Ps+wsI7yAKC4bEKKtSmd6qE7lFov
MD5:	4FE244A0AA027C62A591872C23D5F358
SHA1:	98B2589C36C7B9F208553D2F07FB34878DB0D5F0
SHA-256:	EA44B404D8DED66A4E5FB577F90B009901B9BBDCC95075A33CCCA2763F56CD3C
SHA-512:	513083D1D99D6533CB450A4006D307EDEC70557FCBEFDF306AC9858FDF042A4A5C9450AAEFD86998915A9199B25A0C2F8D01188A78EDE646B1ED2E52058477EF
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"EAD2F7F304438EAE4EE2A4A824C7D0ADEE7DD839BDE627B460B259EDF643904C\"","apps_count_check_time":"13352509228436640","browser":{"browser_build_version":"117.0.2045.55","browser_version_of_last_seen_whats_new":"117.0.2045.55","last_seen_whats_new_page_version":"117.0.2045.55"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJ

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	182
Entropy (8bit):	4.923041841279974
Encrypted:	false
SSDEEP:	3:tIsqDmJS4RKb5sAR+hHiATcvXjXRHRcBHoNcHaxhTIQfaaiBFbCcD8o+fmQGq18i:tI9mc4slhohC/vmI4OhEQfR6Fb3Y1OQV
MD5:	D6F15B1444CE6B4DBC711AC9E9041F17
SHA1:	98D8A4EAB8E132C5894592992F532CF36D71810D
SHA-256:	2BE645A9C201E31B43E28FD5541E36B73175D503362ACBA96CF578B95DB8DD8A
SHA-512:	89F41624C92CB68B716287E74ADD7DEEF7BD67E8FB68BBF7DF93BB84AE1478248CDFC35C26F45A0A6DE347808E9E6431CA771EC9A18E0FF6869843D66B2B4E77
Malicious:	false
URL:	https://fonts.gstatic.com/s/i/youtube_fill/download/v9/24px.svg
Preview:	<svg xmlns="http://www.w3.org/2000/svg" height="24" viewBox="0 0 24 24" width="24"><path d="M18 18v2H6v-2h12zm-.6-6.3L16 10.3l-3 2.9V4h-2v9.2l-3-2.9-1.4 1.4 5.4 5.4 5.4-5.4z"/></svg>

Entrypoint:	0x9bc000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65CC7EFE [Wed Feb 14 08:51:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x149054	0x68	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x137000	0x110a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1491f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x136000	0x8f000	526371db616613836e7c6571ed8b46c1	False	0.9993478201486014	data	7.988716513246667	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x137000	0x110a0	0x2000	f4328fe639d4e77edd541ebb07aa7b52	False	0.9827880859375	data	7.904002209424786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x149000	0x1000	0x200	588e00183b8b4dbb8c7106492f04143d	False	0.14453125	data	0.9824704719748909	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x14a000	0x2bd000	0x200	5308350e05d69b19f4c24a9bc49f90d9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
idnrjgyt	0x407000	0x1b4000	0x1b3a00	65f02ad653bb94a5abaf9484fbbfe296	False	0.9608209289813486	data	7.913450001679227	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ssvxgfuk	0x5bb000	0x1000	0x600	ec146673f8192747d6ef5ce1879d247c	False	0.6022135416666666	data	5.136390709108435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x5bc000	0x3000	0x2200	c4336996d52c7c3bb8618f20eb6f9c90	False	0.06491268382352941	DOS executable (COM)	0.7443786592657285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5a9aa8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m	Russian	Russia	0.10367620962971726
RT_GROUP_ICON	0x5ba2d0	0x14	data	Russian	Russia	1.15
RT_VERSION	0x5ba2e4	0x2b4	data	Russian	Russia	0.48121387283236994
RT_MANIFEST	0x5ba598	0x2e6	XML 1.0 document, ASCII text, with CRLF line terminators			0.45417789757412397
RT_MANIFEST	0x5ba87e	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Target ID:	0
Start time:	23:20:00
Start date:	15/02/2024
Path:	C:\Users\user\Desktop\jk98mGM6JH.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\jk98mGM6JH.exe
Imagebase:	0x610000
File size:	2'393'600 bytes
MD5 hash:	736549A437DA8DACB4C1D31C33BA75B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2099303367.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2670860055.00000000010CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2645200426.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	23:20:05
Start date:	15/02/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0xe40000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	15
Start time:	23:20:18
Start date:	15/02/2024
Path:	C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\PLO4plFr34jobsiEh08j.exe"
Imagebase:	0xc00000
File size:	918'016 bytes
MD5 hash:	791ED44F9B3836A68F79B028EF7C49CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	18
Start time:	23:20:19
Start date:	15/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.facebook.com/video
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	21
Start time:	23:20:20
Start date:	15/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1960,i,11993553605994081514,18162534353999161792,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	23
Start time:	23:20:21
Start date:	15/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1996,i,17726353602255924015,12176223097910466274,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	26
Start time:	23:20:22
Start date:	15/02/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	29
Start time:	23:20:23
Start date:	15/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	32
Start time:	23:20:24
Start date:	15/02/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2092,i,17673521410042216198,2537652209419044310,262144 /prefetch:3
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	36
Start time:	23:20:25
Start date:	15/02/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	40
Start time:	23:20:26
Start date:	15/02/2024
Path:	C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\heidiVWl4S6kyYSYh\Cr6QVRpzwqhYjtnCxFSW.exe"
Imagebase:	0xe50000
File size:	3'109'888 bytes
MD5 hash:	880AA312796089DC66459C024727D591
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000028.00000002.2665861162.0000000000E51000.00000040.00000001.01000000.0000000D.sdmp, Author: Joe Security
Has exited:	true

Target ID:	43
Start time:	23:20:27
Start date:	15/02/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2940 --field-trial-handle=2724,i,4482519872048150816,8688360613915830786,262144 /prefetch:3
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report jk98mGM6JH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Change of critical system settings

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_77e05644-1077-4a09-8f4f-d11661514336.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_77e05644-1077-4a09-8f4f-d11661514336.json.tmp

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zqdrYwv5fC6zkQ9Tresm.exe.log

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\0aa007b7-8092-4a57-89c4-0f023222ae4f.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\0f85cc37-0a78-40aa-85a4-99ce8f7cb6f6.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\17b84ad9-5077-4d77-8b73-609761e025e3.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\30e3f6c4-44a0-4ec0-9411-e0b07d1ddde6.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\3a59baf1-7556-479c-bcbe-43cc6a619d22.tmp

Windows Analysis Report
jk98mGM6JH.exe

Target ID:	45
Start time:	23:20:29
Start date:	15/02/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	47
Start time:	23:20:30
Start date:	15/02/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	52
Start time:	23:20:41
Start date:	15/02/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3484 -childID 1 -isForBrowser -prefsHandle 3428 -prefMapHandle 3432 -prefsLen 21837 -prefMapSize 238690 -jsInitHandle 1240 -jsInitLen 234236 -parentBuildID 20230927232528 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b753b1f8-541a-487d-8ec8-3be5703ede91} 3504 "\\.\pipe\gecko-crash-server-pipe.3504" 25d99d93310 tab
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	16%
Dynamic/Decrypted Code Coverage:	14.4%
Signature Coverage:	63.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	157

Description:	Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token .
Tactics:	Initial Access
Data Sources:	Application Log: Application Log Content, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Process: Process Creation
Platforms:	Linux, macOS, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre