Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1395796
MD5:	9565a774cce1318d00aad201d54179ad
SHA1:	9369239b7c872d3cc46e55178eeda3cc6652e2e3
SHA256:	9911129661bce9c536c1232b12b2aa19501d9dfae099c146d25308c7bb6839ac
Tags:	exe
Infos:

Detection

Amadey, RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected Amadeys stealer DLL

Yara detected RisePro Stealer

Binary is likely a compiled AutoIt script file

Creates multiple autostart registry keys

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 5420 cmdline: C:\Users\user\Desktop\file.exe MD5: 9565A774CCE1318D00AAD201D54179AD)

schtasks.exe (PID: 1048 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7096 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

1zSWTheo8gASwgtmbVnB.exe (PID: 7808 cmdline: "C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe" MD5: 1E1CA4D43582C075F0CFF2992A8E6FEB)

chrome.exe (PID: 7880 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.youtube.com/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5468 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 --field-trial-handle=1964,i,5887355526268781908,1189009886419855111,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7908 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.linkedin.com/login MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6624 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1984,i,6749347610235560040,8445991958934204639,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8008 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.facebook.com/video MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8648 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2020,i,9349519310739507833,11996823178141009930,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7488 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.google.com/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8932 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1976,i,11539279321236040917,10474362654299226247,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 9184 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9624 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=2080,i,6001142355176275865,11694759345999334586,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9212 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 10044 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1452 --field-trial-handle=2028,i,4605008049051892939,13077336860849041403,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1576 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8160 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1120 --field-trial-handle=2024,i,16006183332478894821,13298773514920591943,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

chrome.exe (PID: 9280 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 9672 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 9980 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

firefox.exe (PID: 5720 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 10312 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 10424 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

schtasks.exe (PID: 9196 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 9988 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 10008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

_z8_twA5gL3uyAKSYBl4.exe (PID: 7692 cmdline: "C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe" MD5: F2DFD8B4E7B7BE57BB23484FC9D14430)

MPGPH131.exe (PID: 6632 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 9565A774CCE1318D00AAD201D54179AD)

MPGPH131.exe (PID: 5784 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 9565A774CCE1318D00AAD201D54179AD)

SIHClient.exe (PID: 7616 cmdline: C:\Windows\System32\sihclient.exe /cv oDBIuu78qUSLDogbPZYF5w.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)

RageMP131.exe (PID: 7416 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 9565A774CCE1318D00AAD201D54179AD)

RageMP131.exe (PID: 9416 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 9565A774CCE1318D00AAD201D54179AD)

MSIUpdaterV131.exe (PID: 10092 cmdline: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe MD5: F2DFD8B4E7B7BE57BB23484FC9D14430)

msedge.exe (PID: 9472 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 10608 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2720 --field-trial-handle=2600,i,3848527723112303336,5816276702811820383,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 11484 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6352 --field-trial-handle=2600,i,3848527723112303336,5816276702811820383,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 11668 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6656 --field-trial-handle=2600,i,3848527723112303336,5816276702811820383,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

firefox.exe (PID: 10568 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 10616 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 11356 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2260 -parentBuildID 20230927232528 -prefsHandle 2164 -prefMapHandle 2156 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78885992-7c24-4bea-b4cd-80bc1adb5941} 10616 "\\.\pipe\gecko-crash-server-pipe.10616" 1fbfe16e710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 12592 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 1 -isForBrowser -prefsHandle 1216 -prefMapHandle 3664 -prefsLen 21867 -prefMapSize 237879 -jsInitHandle 1416 -jsInitLen 234236 -parentBuildID 20230927232528 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe175a33-28a2-4047-aeec-757513839c5e} 10616 "\\.\pipe\gecko-crash-server-pipe.10616" 1fb8f78ca10 tab MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 12728 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2556 -childID 2 -isForBrowser -prefsHandle 4004 -prefMapHandle 2968 -prefsLen 22057 -prefMapSize 237879 -jsInitHandle 1416 -jsInitLen 234236 -parentBuildID 20230927232528 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a7ce19a-c0e1-4606-ade3-f9e411e1fb00} 10616 "\\.\pipe\gecko-crash-server-pipe.10616" 1fb8b43cf50 tab MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

MSIUpdaterV131.exe (PID: 11168 cmdline: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe MD5: F2DFD8B4E7B7BE57BB23484FC9D14430)

firefox.exe (PID: 7444 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 11340 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6208 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

AdobeUpdaterV131.exe (PID: 12560 cmdline: "C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe" MD5: F2DFD8B4E7B7BE57BB23484FC9D14430)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\h8ozYGRfpZBL_1uFxRWmLJY.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\7VjcYwCMF_u_3bGwi0Uji59.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\NsDq1AXD5Zu7PIsqGltDvI0.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\Ci0SBvvC_ABy4cFBW3g7apa.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000021.00000002.2976732828.0000000000651000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000021.00000003.2482885181.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000008.00000002.2980143223.000000000059F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000002A.00000002.2883089894.0000000000651000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002A.00000003.2481062424.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002C.00000002.2976908105.0000000000CA1000.00000040.00000001.01000000.00000010.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000008.00000002.2980143223.00000000005A4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000002C.00000003.2396808803.0000000004F00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
44.2._z8_twA5gL3uyAKSYBl4.exe.ca0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
42.2.MSIUpdaterV131.exe.650000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
33.2.MSIUpdaterV131.exe.650000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 5420, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 5420, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://185.215.113.46/cost/ladas.exe(;	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/ladas.exesive.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/ladas.exeidi	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/fu.exeagernt	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/fu.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/amert.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/well.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/ladas.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/plaza.exeidizS9SzeRnCJb5Z-4X	Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/ladas.exeb	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Multi AV Scanner detection for domain / URL

Source: http://185.215.113.46/mine/amert.exe	Virustotal: Detection: 20%	Perma Link
Source: http://185.215.113.46/cost/fu.exe	Virustotal: Detection: 23%	Perma Link
Source: http://185.215.113.46/cost/ladas.exesive.dll	Virustotal: Detection: 14%	Perma Link
Source: http://185.215.113.46/cost/ladas.exe	Virustotal: Detection: 19%	Perma Link
Source: http://185.215.113.46/cost/ladas.exeb	Virustotal: Detection: 16%	Perma Link
Source: http://185.215.113.46/cost/well.exe	Virustotal: Detection: 21%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Virustotal: Detection: 54%	Perma Link
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Virustotal: Detection: 59%	Perma Link
Source: C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe	Virustotal: Detection: 59%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\fu[1].exe	Virustotal: Detection: 33%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ladas[1].exe	Virustotal: Detection: 52%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\niks[1].exe	Virustotal: Detection: 55%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\well[1].exe	Virustotal: Detection: 29%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\amert[1].exe	Virustotal: Detection: 59%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\ladas[1].exe	Virustotal: Detection: 52%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\niks[1].exe	Virustotal: Detection: 55%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\plaza[1].exe	Virustotal: Detection: 54%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\well[1].exe	Virustotal: Detection: 29%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\ladas[1].exe	Virustotal: Detection: 52%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\plaza[1].exe	Virustotal: Detection: 54%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\well[1].exe	Virustotal: Detection: 29%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amert[1].exe	Virustotal: Detection: 59%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amert[2].exe	Virustotal: Detection: 59%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\fu[1].exe	Virustotal: Detection: 33%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\fu[2].exe	Virustotal: Detection: 33%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\niks[1].exe	Virustotal: Detection: 55%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\plaza[1].exe	Virustotal: Detection: 54%	Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAFFC0 CryptUnprotectData,CryptUnprotectData,		0_2_00FAFFC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00B9FFC0 CryptUnprotectData,CryptUnprotectData,		8_2_00B9FFC0

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9C050 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,__Mtx_unlock,	0_2_00F9C050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106B4E5 FindFirstFileExW,	0_2_0106B4E5
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00B8C050 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,__Mtx_unlock,	8_2_00B8C050
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00C5B4E5 recv,FindFirstFileExW,	8_2_00C5B4E5

Source: firefox.exe

Memory has grown: Private usage: 1MB later: 233MB

Source: Joe Sandbox View	IP Address: 13.107.6.158 13.107.6.158
Source: Joe Sandbox View	IP Address: 204.79.197.200 204.79.197.200
Source: Joe Sandbox View	IP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox View	IP Address: 185.215.113.46 185.215.113.46
Source: Joe Sandbox View	IP Address: 185.215.113.46 185.215.113.46

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Code function: 8_2_00B9DBB0 recv,WSAStartup,closesocket,socket,connect,closesocket,

8_2_00B9DBB0

Source: firefox.exe, 00000023.00000002.2300285719.0000022AC2BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.2300285719.0000022AC2BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.comd equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2483237784.000001FB91FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: g>Wmoz-nullprincipal:{871a8f96-2762-43e2-9f78-1f95eca451fd}?https://www.youtube.com equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000007.00000003.2617487083.0000000005C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000007.00000003.2617487083.0000000005C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com//pp equals www.youtube.com (Youtube)
Source: firefox.exe, 00000025.00000002.2344153551.000002A80BEC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000025.00000002.2344153551.000002A80BEC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/videos equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000002.2303785942.00000226FD9C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2484170838.000001FB91F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2895883925.000001FB98DD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ,~predictor-origin,:https://www.facebook.com/predictor::seen1 equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 00000007.00000003.2640674394.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: -_https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2463892026.000001FB9A5F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .S........[tlsflags0x00000000]www.facebook.com:443^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 00000006.00000003.2813901630.0000000005E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: .www.linkedin.combscookiev10@} equals www.linkedin.com (Linkedin)
Source: firefox.exe, 00000023.00000003.2273836507.0000022AC46FC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2300748777.0000022AC46FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0`0https://www.youtube.com --attempting-deelevationUser equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000007.00000003.2640674394.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 5_https://www.youtube.com equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000007.00000003.2640674394.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 6_https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000025.00000002.2344720109.000002A80D9A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 7n7https://www.facebook.com/video --attempting-deelevationUser equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2893642009.000001FB9BEF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2852837545.000001FB9BEF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8:https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2463892026.000001FB9A5F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2704649310.000001FB984E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2436535853.000001FB92711000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2702286694.000001FB98645000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2475084912.000001FB965CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2859579934.000001FB98645000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2995740845.000001FB9BEF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2436535853.000001FB92711000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2696716926.000001FB98A40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2464498833.000001FB98A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2919241842.000001FB973D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2475084912.000001FB9657F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2471449950.000001FB9738C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2919241842.000001FB973D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3020159159.000001FB973D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2859862617.000001FB973D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/` equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2466799961.000001FB98684000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3016232028.000001FB98684000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2910522324.000001FB98684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2484170838.000001FB91F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2893642009.000001FB9BEF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2852837545.000001FB9BEF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: :https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2463892026.000001FB9A5F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: :https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000006.00000003.2813901630.0000000005E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ;.www.linkedin.comli_1x equals www.linkedin.com (Linkedin)
Source: MPGPH131.exe, 00000006.00000003.2813901630.0000000005E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ;.www.linkedin.comli_rmv10 equals www.linkedin.com (Linkedin)
Source: firefox.exe, 00000029.00000003.2301349556.000001FB805D5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2299483431.000001FB805D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.comMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2696716926.000001FB98A1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2691798188.000001FB98DC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2464498833.000001FB98A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: =e=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 00000007.00000003.2640674394.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: >_https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000025.00000002.2344153551.000002A80BEC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.facebook.com/video5 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.2300285719.0000022AC2BCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000002.2303785942.00000226FD9C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com--attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000025.00000002.2344153551.000002A80BEC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/videoC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default7 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.2300285719.0000022AC2BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.comC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000002.2303785942.00000226FD9C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000007.00000003.2640674394.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: META:https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2696716926.000001FB98A1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2691798188.000001FB98DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Mabout:certerror?e=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2463892026.000001FB9A5F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: O^partitionKey=%28https%2Cyoutube.com%29,:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000007.00000003.2640674394.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: _https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2696716926.000001FB98A1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3020159159.000001FB973DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2691798188.000001FB98DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: about:certerror?e=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2696716926.000001FB98A1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2691798188.000001FB98DC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2464498833.000001FB98A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: e=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2704649310.000001FB984E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2436535853.000001FB92711000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2696716926.000001FB98A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2475084912.000001FB965CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2859579934.000001FB98645000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2995740845.000001FB9BEF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2436535853.000001FB92711000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2872351728.000001FB8AEAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2696716926.000001FB98A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2696716926.000001FB98A40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2464498833.000001FB98A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/video@ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2901527515.000001FB98D76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2854768436.000001FB98D76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000007.00000003.2617487083.0000000005C13000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2613733396.0000000000992000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3055686788.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000007.00000003.2617487083.0000000005C13000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2613733396.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com//pp equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000007.00000003.2616339617.0000000005C2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/YouTube equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000007.00000003.2616339617.0000000005C2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/YouTube/pp equals www.youtube.com (Youtube)
Source: RageMP131.exe, 00000008.00000002.3051142522.0000000005AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ta1 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.3014027476.000001FB986CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2466799961.000001FB986CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2699799932.000001FB986CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-nullprincipal:{43f7831d-84c8-401b-a3d5-bbed60e76247}?https://www.facebook.com equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 00000006.00000003.2813901630.0000000005E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: r.www.linkedin.comJSESSIONIDv10vmV equals www.linkedin.com (Linkedin)
Source: firefox.exe, 00000025.00000003.2336243926.000002A80BEDC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000025.00000002.2344153551.000002A80BEE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.facebook.com/video --attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000003.2273743981.0000022AC2BDC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2300285719.0000022AC2BE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.youtube.com --attempting-deelevation equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000007.00000003.2613733396.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000007.00000003.2431237956.0000000005C47000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2613733396.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2861010042.000001FB9654D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2514495452.000001FB91E0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tlsflags0x00000000:www.facebook.com:443^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2861010042.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2861010042.000001FB9654D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2514495452.000001FB91E0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tlsflags0x00000000:www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000007.00000003.2613733396.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ttps://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000007.00000003.2613733396.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ttps://www.youtube.com//pp equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2905705692.000001FB986B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2630257032.000001FB8FCB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2618159844.000001FB932B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2588522719.000001FB8FCA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2509480913.000001FB91ED4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2919241842.000001FB973E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2477590188.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2433245091.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2561957552.000001FB9119F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comP43 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2588522719.000001FB8FCA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2732891901.000001FB9323F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2645881221.000001FB93237000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2732891901.000001FB9323F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2645881221.000001FB93237000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comoZ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.3024799346.000001FB97320000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2860733025.000001FB97320000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2927581358.000001FB97320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2463892026.000001FB9A5F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x.S........[tlsflags0x00000000]www.facebook.com:443^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2463892026.000001FB9A5F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xO^partitionKey=%28https%2Cyoutube.com%29,:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.3020159159.000001FB973DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2477590188.000001FB92779000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2477590188.000001FB927CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xabout:certerror?e=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2854768436.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2691798188.000001FB98DC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3002271050.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2514495452.000001FB91E0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xtlsflags0x00000000:www.facebook.com:443^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000029.00000003.2514495452.000001FB91E0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xtlsflags0x00000000:www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000029.00000003.2895883925.000001FB98DD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ~predictor-origin,:https://www.facebook.com/ equals www.facebook.com (Facebook)

Source: firefox.exe, 00000029.00000003.2475084912.000001FB9652B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2484170838.000001FB91F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3046630470.0000000005D2D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2980143223.0000000000538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/fu.exe
Source: RageMP131.exe, 00000008.00000002.2980143223.0000000000538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/fu.exe)
Source: file.exe, 00000000.00000002.2976955927.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/fu.exeagernt
Source: RageMP131.exe, 0000001A.00000002.2896368868.000000000147E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exe
Source: file.exe, 00000000.00000002.3048475504.0000000005D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exe(;
Source: file.exe, 00000000.00000002.2976955927.000000000097B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exeb
Source: RageMP131.exe, 00000008.00000002.2980143223.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exeidi
Source: file.exe, 00000000.00000002.3048475504.0000000005D60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2976955927.000000000097B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exel
Source: file.exe, 00000000.00000002.3048475504.0000000005D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exelF~n
Source: file.exe, 00000000.00000002.3048475504.0000000005D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/ladas.exesive.dll
Source: file.exe, 00000000.00000002.2976955927.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3048475504.0000000005D60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2980143223.0000000000538000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/niks.exe
Source: RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/cost/well.exe
Source: file.exe, 00000000.00000002.2976955927.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000097B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2976955927.000000000097B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2980143223.0000000000538000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/amert.exe
Source: file.exe, 00000000.00000003.2389626209.000000000097B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2976955927.000000000097B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/amert.exe#
Source: file.exe, 00000000.00000002.2976955927.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/amert.exed-
Source: RageMP131.exe, 0000001A.00000002.2896368868.000000000147E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exe
Source: RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exeOB
Source: file.exe, 00000000.00000002.3048475504.0000000005D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.46/mine/plaza.exeidizS9SzeRnCJb5Z-4X
Source: firefox.exe, 00000029.00000003.2362378100.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2363088949.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: SIHClient.exe, 00000009.00000003.2565092652.00000205739EE000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000009.00000002.2893638622.00000205739EE000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000009.00000003.2576373237.00000205739EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micrA
Source: SIHClient.exe, 00000009.00000003.2187881101.0000020574385000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000009.00000002.2900308468.0000020574380000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000009.00000003.2185652439.0000020574385000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: firefox.exe, 00000029.00000003.3002271050.000001FB98D9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2472568638.000001FB9734E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3024799346.000001FB9734B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000029.00000003.2477590188.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000029.00000003.2861010042.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2935452112.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2514495452.000001FB91E0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000029.00000003.2854768436.000001FB98D76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2514495452.000001FB91E0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000029.00000003.2847640406.000001FB93284000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2407004515.000001FB966B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2407473308.000001FB966B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2765495710.000001FB8EC7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2809831387.000001FB8AE2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2449113424.000001FB98582000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2634765865.000001FB8EA58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2868107380.000001FB985F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2713037412.000001FB8EAA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2755126218.000001FB8EB33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2732544717.000001FB985F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3012126900.000001FB986E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2735455297.000001FB8EA59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2902867703.000001FB986E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2514495452.000001FB91E08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2737019437.000001FB8EAA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2887497625.000001FB8EAA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2807551644.000001FB8EC7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2568960989.000001FB8EAB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2862972274.000001FB966F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2360064713.000001FB8EC7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: firefox.exe, 00000029.00000003.2362378100.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2363088949.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000029.00000003.2512787341.000001FB91E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 00000029.00000003.2512787341.000001FB91E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 00000029.00000003.2362378100.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2363088949.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000029.00000003.2362378100.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2363088949.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 00000029.00000003.2703606554.000001FB984F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2859736818.000001FB984EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2565078704.000001FB91143000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3017763773.000001FB984EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2915639608.000001FB984EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2563091715.000001FB91184000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000029.00000003.2565078704.000001FB91143000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2563091715.000001FB91184000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
Source: firefox.exe, 00000029.00000003.2563091715.000001FB91184000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulh
Source: file.exe, 00000000.00000002.2980859971.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1999562541.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2065812545.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2066983405.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2991732572.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2168758239.0000000004950000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2878089392.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001A.00000003.2360402306.0000000005230000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: firefox.exe, 00000029.00000003.2353070103.000001FB8E965000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352450205.000001FB8E924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2353477536.000001FB8E985000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352149654.000001FB8EA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352761725.000001FB8E944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: file.exe, 00000000.00000003.2116611037.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113465149.0000000005C8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124224620.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2200308328.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181499507.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2187770588.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2120275076.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2128210493.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2272359442.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2301947459.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2276330895.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000029.00000003.2472568638.000001FB9732E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: firefox.exe, 00000029.00000003.2692073703.000001FB98A7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2464498833.000001FB98A7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 00000026.00000002.2336728837.000002C2A6C50000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2862162587.000001FB964EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2938825525.000001FB964EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: firefox.exe, 00000029.00000003.2895883925.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: firefox.exe, 00000029.00000003.2895883925.000001FB98DD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/predictor::seen1
Source: firefox.exe, 00000026.00000002.2336728837.000002C2A6C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.comC:
Source: firefox.exe, 00000029.00000003.2477590188.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2433245091.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/addon/enhancer-for-youtube/
Source: firefox.exe, 00000029.00000003.2477590188.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2433245091.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/addon/facebook-container/
Source: firefox.exe, 00000029.00000003.2477590188.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2433245091.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/
Source: firefox.exe, 00000029.00000003.2477590188.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2433245091.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/addon/to-google-translate/
Source: firefox.exe, 00000029.00000003.2477590188.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2433245091.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/addon/wikipedia-context-menu-search/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/
Source: firefox.exe, 00000029.00000003.2484170838.000001FB91F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 00000029.00000003.2700062119.000001FB98684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 00000029.00000003.2700062119.000001FB98684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 00000029.00000003.2700062119.000001FB98684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 00000029.00000003.2700062119.000001FB98684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: firefox.exe, 00000029.00000003.2809831387.000001FB8AE2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2838114200.000001FB8AE2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1694699#c21
Source: file.exe, 00000000.00000003.2116611037.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113465149.0000000005C8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124224620.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2200308328.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181499507.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2187770588.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2120275076.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2128210493.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2272359442.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2301947459.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2276330895.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2116611037.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113465149.0000000005C8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124224620.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2200308328.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181499507.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2187770588.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2120275076.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2404581198.0000000005C53000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2128210493.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2272359442.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2301947459.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2276330895.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2116611037.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113465149.0000000005C8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124224620.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2200308328.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181499507.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2187770588.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2120275076.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2404581198.0000000005C53000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2128210493.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2272359442.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2301947459.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2276330895.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000029.00000003.2353070103.000001FB8E965000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352450205.000001FB8E924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2353477536.000001FB8E985000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352149654.000001FB8EA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352761725.000001FB8E944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000029.00000003.2702286694.000001FB98645000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: firefox.exe, 00000029.00000003.2475084912.000001FB965CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2861010042.000001FB965CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2930019942.000001FB965CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 00000029.00000003.2475084912.000001FB965FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com/
Source: firefox.exe, 00000029.00000003.2930019942.000001FB965CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000029.00000003.2477590188.000001FB92754000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2935452112.000001FB96558000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352761725.000001FB8E944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: firefox.exe, 00000029.00000003.2461036451.000001FB9BEF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?t=ffab&q=
Source: file.exe, 00000000.00000003.2116611037.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113465149.0000000005C8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124224620.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2200308328.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181499507.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2187770588.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2120275076.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2128210493.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2272359442.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2301947459.0000000005C08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2116611037.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113465149.0000000005C8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124224620.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2200308328.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181499507.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2187770588.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2120275076.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2128210493.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2272359442.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2301947459.0000000005C08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2116611037.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113465149.0000000005C8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124224620.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2200308328.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181499507.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2187770588.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2120275076.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2128210493.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2272359442.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2301947459.0000000005C08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000029.00000003.2741108156.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2734590873.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2362378100.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2363088949.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000029.00000003.2741108156.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2734590873.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000029.00000003.2457073466.000001FB8FCAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2455731909.000001FB8FC82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000029.00000003.2691872849.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2854768436.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2895883925.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3002271050.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000029.00000003.2691872849.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2854768436.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2895883925.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3002271050.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000029.00000003.2691872849.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2854768436.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2895883925.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3002271050.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000029.00000003.2930019942.000001FB9659F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000029.00000003.2691872849.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2854768436.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2895883925.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3002271050.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000029.00000003.2407473308.000001FB966B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2874355917.000001FB9669D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2407004515.000001FB96671000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2846603963.000001FB9669D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2747711649.000001FB966A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2870582921.000001FB9669D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2648611710.000001FB9669D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2626143185.000001FB9667E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 00000029.00000003.2407473308.000001FB966B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2874355917.000001FB9669D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2407004515.000001FB96671000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2846603963.000001FB9669D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2747711649.000001FB966A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2870582921.000001FB9669D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2648611710.000001FB9669D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2626143185.000001FB9667E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 00000029.00000003.2353070103.000001FB8E965000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352450205.000001FB8E924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352149654.000001FB8EA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352761725.000001FB8E944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000029.00000003.2700062119.000001FB98684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 00000029.00000003.2700062119.000001FB98684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 00000029.00000003.3020159159.000001FB9739A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: firefox.exe, 00000029.00000003.2700062119.000001FB98684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB965CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2861010042.000001FB965CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2930019942.000001FB965CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: RageMP131.exe, 00000008.00000002.2980143223.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.000000000147E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.000000000142B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: file.exe, 00000000.00000002.2976955927.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2980143223.0000000000538000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.000000000147E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000002.2980859971.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1999562541.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2065812545.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2066983405.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2991732572.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2168758239.0000000004950000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2878089392.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001A.00000003.2360402306.0000000005230000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: RageMP131.exe, 0000001A.00000002.2896368868.000000000142B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/nProtM
Source: file.exe, 00000000.00000002.2976955927.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2976955927.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2980143223.0000000000538000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2980143223.000000000051E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.000000000147E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.000000000142B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.222
Source: RageMP131.exe, 0000001A.00000002.2896368868.000000000142B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.222B
Source: RageMP131.exe, 00000008.00000002.2980143223.000000000051E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.222p
Source: file.exe, 00000000.00000002.2976955927.00000000008BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.227.222
Source: RageMP131.exe, 0000001A.00000002.2896368868.000000000142B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.227.222EHkN)
Source: RageMP131.exe, 00000008.00000002.2980143223.0000000000538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.227.222T
Source: firefox.exe, 00000029.00000003.2861010042.000001FB9656C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2930019942.000001FB9656C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 00000029.00000003.2472568638.000001FB9732E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: firefox.exe, 00000029.00000003.2472568638.000001FB9732E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 00000029.00000003.2741108156.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2734590873.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000029.00000003.2741108156.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2734590873.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2362378100.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2363088949.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000029.00000003.2741108156.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2734590873.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2362378100.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2363088949.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000029.00000003.2741108156.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2734590873.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000029.00000003.2741108156.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2734590873.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2362378100.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2363088949.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000029.00000003.2854768436.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2691798188.000001FB98DC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3002271050.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2895883925.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9652B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
Source: firefox.exe, 00000029.00000003.2484170838.000001FB91F0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: firefox.exe, 00000029.00000003.2352761725.000001FB8E944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000029.00000003.2560855040.000001FB912E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com
Source: firefox.exe, 00000029.00000003.2560855040.000001FB912E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/
Source: firefox.exe, 00000029.00000003.2691798188.000001FB98DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000029.00000003.2699380184.000001FB986F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 00000029.00000003.2691798188.000001FB98DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000029.00000003.2436535853.000001FB92737000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2935452112.000001FB9654D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2861010042.000001FB9654D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 00000029.00000003.2461036451.000001FB9BEF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000029.00000003.2461036451.000001FB9BEF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000029.00000003.2854768436.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3002271050.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2895883925.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000029.00000003.2854768436.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3002271050.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2895883925.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 00000029.00000003.2702397446.000001FB98642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000029.00000003.2560855040.000001FB912CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 00000029.00000003.2860186459.000001FB9739A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3020159159.000001FB9739A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2859579934.000001FB98645000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2706123123.000001FB9739B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2702286694.000001FB98645000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2921343886.000001FB9739A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: firefox.exe, 00000029.00000003.2466799961.000001FB98697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000029.00000003.2723175944.000001FB8EBDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2608964060.000001FB8EBDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 00000029.00000003.2466799961.000001FB98697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.)
Source: RageMP131.exe, 00000008.00000002.2980143223.000000000059F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2980143223.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.000000000142B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 00000008.00000002.2980143223.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORThoS
Source: RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot5
Source: file.exe, 00000000.00000002.2976955927.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botG0
Source: file.exe, 00000000.00000002.2976955927.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botY0
Source: RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botwB7O
Source: firefox.exe, 00000029.00000003.2461036451.000001FB9BEF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2464067429.000001FB98DFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: firefox.exe, 00000029.00000003.2461036451.000001FB9BEF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: firefox.exe, 00000029.00000003.2703606554.000001FB984F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352761725.000001FB8E944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: file.exe, 00000000.00000003.2116611037.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113465149.0000000005C8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124224620.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2200308328.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181499507.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2187770588.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2120275076.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2128210493.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2272359442.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2301947459.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2276330895.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB965CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000029.00000003.2436535853.000001FB9274A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352761725.000001FB8E944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000003.2116611037.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113465149.0000000005C8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124224620.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2200308328.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181499507.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2187770588.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2120275076.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2404581198.0000000005C53000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2128210493.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2272359442.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2301947459.0000000005C08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 00000029.00000003.2475084912.000001FB96546000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352761725.000001FB8E944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000029.00000003.2461036451.000001FB9BEF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: firefox.exe, 00000029.00000003.2462883387.000001FB9BEC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2702397446.000001FB98642000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2464498833.000001FB98A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 00000029.00000003.2466799961.000001FB98697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: firefox.exe, 00000029.00000003.2457073466.000001FB8FCAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2455731909.000001FB8FC82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: firefox.exe, 00000029.00000003.2433245091.000001FB9278A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/anything/?
Source: firefox.exe, 00000029.00000003.2466799961.000001FB98697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2976955927.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2980143223.0000000000538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2144512810.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158598098.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157484063.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115223948.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114512820.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2116875878.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155154432.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117311152.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3045108093.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117924699.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2119592335.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134765646.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2302523520.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2277486245.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3051963799.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2303108433.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2312179593.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2466799961.000001FB98697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: firefox.exe, 00000029.00000003.2466799961.000001FB98697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2144512810.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158598098.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157484063.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115223948.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114512820.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2116875878.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155154432.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117311152.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3045108093.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117924699.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2119592335.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134765646.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2302523520.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2277486245.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3051963799.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2303108433.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2312179593.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2466799961.000001FB98697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2976955927.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2980143223.0000000000538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.2144512810.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158598098.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157484063.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115223948.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114512820.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2116875878.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155154432.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117311152.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3045108093.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117924699.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2119592335.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134765646.0000000005C8E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2302523520.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2277486245.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3051963799.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2303108433.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2312179593.0000000005BEF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2466799961.000001FB98697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RageMP131.exe, 00000008.00000002.2980143223.0000000000538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/s
Source: firefox.exe, 00000029.00000003.2472568638.000001FB9732E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2464067429.000001FB98DFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 00000029.00000003.2461036451.000001FB9BEF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: firefox.exe, 00000027.00000002.2303785942.00000226FD9C0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2483237784.000001FB91FC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2901527515.000001FB98D76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2854768436.000001FB98D76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 00000027.00000002.2303785942.00000226FD9C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com--attempting-deelevation
Source: firefox.exe, 00000029.00000003.2461036451.000001FB9BEF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: MPGPH131.exe, 00000007.00000003.2617487083.0000000005C13000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2613733396.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com//pp
Source: MPGPH131.exe, 00000007.00000003.2614228154.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2616339617.0000000005C2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/YouTube
Source: MPGPH131.exe, 00000007.00000003.2614228154.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2616339617.0000000005C2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/YouTube/pp
Source: RageMP131.exe, 00000008.00000002.3051142522.0000000005AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ta1
Source: firefox.exe, 00000023.00000002.2300285719.0000022AC2BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.comC:
Source: firefox.exe, 00000029.00000003.2301349556.000001FB805D5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2299483431.000001FB805D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.comMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:
Source: firefox.exe, 00000023.00000002.2300285719.0000022AC2BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.comd
Source: firefox.exe, 00000029.00000003.2464067429.000001FB98DFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 00000029.00000003.2562452943.000001FB91193000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe, 00000000.00000003.2426464372.0000000006328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6c64d182-0
Source: file.exe, 00000000.00000003.2426464372.0000000006328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_80e1078d-f
Source: MPGPH131.exe, 00000006.00000003.2953181412.0000000005C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_136bab35-4
Source: MPGPH131.exe, 00000006.00000003.2953181412.0000000005C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8fc55a00-7
Source: MPGPH131.exe, 00000007.00000003.2992008424.00000000064F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_534e2795-1
Source: MPGPH131.exe, 00000007.00000003.2992008424.00000000064F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f7ff4ccc-3
Source: RageMP131.exe, 00000008.00000003.2633598752.0000000007731000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_331cce5e-6
Source: RageMP131.exe, 00000008.00000003.2633598752.0000000007731000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_546a719a-3
Source: 1zSWTheo8gASwgtmbVnB.exe, 0000000A.00000000.2193237793.00000000007A2000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cbaa8c0f-f
Source: 1zSWTheo8gASwgtmbVnB.exe, 0000000A.00000000.2193237793.00000000007A2000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_cbb4be20-7

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: ladas[1].exe.0.dr	Static PE information: section name:
Source: ladas[1].exe.0.dr	Static PE information: section name: .idata
Source: ladas[1].exe.0.dr	Static PE information: section name:
Source: MF0uP9gfhtzQk0nmPHvh.exe.0.dr	Static PE information: section name:
Source: MF0uP9gfhtzQk0nmPHvh.exe.0.dr	Static PE information: section name: .idata
Source: MF0uP9gfhtzQk0nmPHvh.exe.0.dr	Static PE information: section name:
Source: EdgeMS131.exe.0.dr	Static PE information: section name:
Source: EdgeMS131.exe.0.dr	Static PE information: section name: .idata
Source: EdgeMS131.exe.0.dr	Static PE information: section name:
Source: niks[1].exe.0.dr	Static PE information: section name:
Source: niks[1].exe.0.dr	Static PE information: section name: .idata
Source: niks[1].exe.0.dr	Static PE information: section name:
Source: Oqz1gKr60kpGbxg1Y8oi.exe.0.dr	Static PE information: section name:
Source: Oqz1gKr60kpGbxg1Y8oi.exe.0.dr	Static PE information: section name: .idata
Source: Oqz1gKr60kpGbxg1Y8oi.exe.0.dr	Static PE information: section name:
Source: amert[1].exe.0.dr	Static PE information: section name:
Source: amert[1].exe.0.dr	Static PE information: section name: .idata
Source: amert[1].exe.0.dr	Static PE information: section name:
Source: _z8_twA5gL3uyAKSYBl4.exe.0.dr	Static PE information: section name:
Source: _z8_twA5gL3uyAKSYBl4.exe.0.dr	Static PE information: section name: .idata
Source: _z8_twA5gL3uyAKSYBl4.exe.0.dr	Static PE information: section name:
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name:
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name: .idata
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name:
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name:
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name: .idata
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name:
Source: Sc7F78Jv4MgkpAFnc7lD.exe.6.dr	Static PE information: section name:
Source: Sc7F78Jv4MgkpAFnc7lD.exe.6.dr	Static PE information: section name: .idata
Source: Sc7F78Jv4MgkpAFnc7lD.exe.6.dr	Static PE information: section name:
Source: tL_fuTzDWfh0VWCLkvvf.exe.6.dr	Static PE information: section name:
Source: tL_fuTzDWfh0VWCLkvvf.exe.6.dr	Static PE information: section name: .idata
Source: tL_fuTzDWfh0VWCLkvvf.exe.6.dr	Static PE information: section name:
Source: lraj6KX6dVjpCpYcPfhj.exe.6.dr	Static PE information: section name:
Source: lraj6KX6dVjpCpYcPfhj.exe.6.dr	Static PE information: section name: .idata
Source: lraj6KX6dVjpCpYcPfhj.exe.6.dr	Static PE information: section name:
Source: ladas[1].exe.7.dr	Static PE information: section name:
Source: ladas[1].exe.7.dr	Static PE information: section name: .idata
Source: ladas[1].exe.7.dr	Static PE information: section name:
Source: Utp0jUqZeU8scbGMpad8.exe.7.dr	Static PE information: section name:
Source: Utp0jUqZeU8scbGMpad8.exe.7.dr	Static PE information: section name: .idata
Source: Utp0jUqZeU8scbGMpad8.exe.7.dr	Static PE information: section name:
Source: amert[2].exe.7.dr	Static PE information: section name:
Source: amert[2].exe.7.dr	Static PE information: section name: .idata
Source: amert[2].exe.7.dr	Static PE information: section name:
Source: vyOycan6EgXUKkno1qul.exe.7.dr	Static PE information: section name:
Source: vyOycan6EgXUKkno1qul.exe.7.dr	Static PE information: section name: .idata
Source: vyOycan6EgXUKkno1qul.exe.7.dr	Static PE information: section name:
Source: niks[1].exe.7.dr	Static PE information: section name:
Source: niks[1].exe.7.dr	Static PE information: section name: .idata
Source: niks[1].exe.7.dr	Static PE information: section name:
Source: ApPQmeGzxQP3KtH6lKvJ.exe.7.dr	Static PE information: section name:
Source: ApPQmeGzxQP3KtH6lKvJ.exe.7.dr	Static PE information: section name: .idata
Source: ApPQmeGzxQP3KtH6lKvJ.exe.7.dr	Static PE information: section name:
Source: niks[1].exe.8.dr	Static PE information: section name:
Source: niks[1].exe.8.dr	Static PE information: section name: .idata
Source: niks[1].exe.8.dr	Static PE information: section name:
Source: pZpo0gU01Jxx21DdQmVG.exe.8.dr	Static PE information: section name:
Source: pZpo0gU01Jxx21DdQmVG.exe.8.dr	Static PE information: section name: .idata
Source: pZpo0gU01Jxx21DdQmVG.exe.8.dr	Static PE information: section name:
Source: ladas[1].exe.8.dr	Static PE information: section name:
Source: ladas[1].exe.8.dr	Static PE information: section name: .idata
Source: ladas[1].exe.8.dr	Static PE information: section name:
Source: 3GOT3GAXnZqbKvGYOMGC.exe.8.dr	Static PE information: section name:
Source: 3GOT3GAXnZqbKvGYOMGC.exe.8.dr	Static PE information: section name: .idata
Source: 3GOT3GAXnZqbKvGYOMGC.exe.8.dr	Static PE information: section name:
Source: amert[1].exe.8.dr	Static PE information: section name:
Source: amert[1].exe.8.dr	Static PE information: section name: .idata
Source: amert[1].exe.8.dr	Static PE information: section name:
Source: tTuIhXRskVqio6hWX3MJ.exe.8.dr	Static PE information: section name:
Source: tTuIhXRskVqio6hWX3MJ.exe.8.dr	Static PE information: section name: .idata
Source: tTuIhXRskVqio6hWX3MJ.exe.8.dr	Static PE information: section name:

PE file has nameless sections

Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: section name:
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: section name:
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: section name:
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: section name:
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: section name:
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: section name:
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: section name:
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: section name:
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: section name:
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: section name:
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: section name:
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: section name:
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: section name:
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: section name:
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: section name:
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: section name:
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.8.dr	Static PE information: section name:
Source: plaza[1].exe.8.dr	Static PE information: section name:
Source: plaza[1].exe.8.dr	Static PE information: section name:
Source: plaza[1].exe.8.dr	Static PE information: section name:
Source: plaza[1].exe.8.dr	Static PE information: section name:
Source: plaza[1].exe.8.dr	Static PE information: section name:
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: section name:
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: section name:
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: section name:
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: section name:
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: section name:
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00B8A450 RtlAllocateHeap,NtQuerySystemInformation,HeapFree,RtlFreeHeap,RtlAllocateHeap,NtQuerySystemInformation,HeapFree,		8_2_00B8A450
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00B8A770 NtDuplicateObject,CreateThread,RtlUnicodeStringToAnsiString,TerminateThread,		8_2_00B8A770

Source: C:\Windows\System32\SIHClient.exe

File created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP9A83.tmp

Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe

File deleted: C:\Windows\Tasks\explorgu.job

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC48E0	0_2_00FC48E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106A930	0_2_0106A930
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC0890	0_2_00FC0890
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9F050	0_2_00F9F050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC1010	0_2_00FC1010
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD2010	0_2_00FD2010
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FED180	0_2_00FED180
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE3910	0_2_00FE3910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE52B0	0_2_00FE52B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB5A90	0_2_00FB5A90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBBA60	0_2_00FBBA60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD2250	0_2_00FD2250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA13C0	0_2_00FA13C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDDB80	0_2_00FDDB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD0360	0_2_00FD0360
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE3350	0_2_00FE3350
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC8C90	0_2_00FC8C90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010245E0	0_2_010245E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FCD5A0	0_2_00FCD5A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC6590	0_2_00FC6590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA0580	0_2_00FA0580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB8570	0_2_00FB8570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0107970D	0_2_0107970D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBDE70	0_2_00FBDE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC7660	0_2_00FC7660
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB0780	0_2_00FB0780
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBA760	0_2_00FBA760
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB4730	0_2_00FB4730
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FCA700	0_2_00FCA700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F92050	0_2_00F92050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01074008	0_2_01074008
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01076040	0_2_01076040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01000850	0_2_01000850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01070880	0_2_01070880
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAA150	0_2_00FAA150
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0108D311	0_2_0108D311
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE82E0	0_2_00FE82E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F922C0	0_2_00F922C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC02C0	0_2_00FC02C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01022360	0_2_01022360
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010873C4	0_2_010873C4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01079A4F	0_2_01079A4F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01011A50	0_2_01011A50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9ABA0	0_2_00F9ABA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102D2C0	0_2_0102D2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101D530	0_2_0101D530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01014D30	0_2_01014D30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FEA540	0_2_00FEA540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0108F4C0	0_2_0108F4C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100F4D0	0_2_0100F4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01010FD0	0_2_01010FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01021E50	0_2_01021E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101DE70	0_2_0101DE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9A770	0_2_00F9A770
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BB0890	8_2_00BB0890
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BB48E0	8_2_00BB48E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00C5A930	8_2_00C5A930
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BA5A90	8_2_00BA5A90
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BABA60	8_2_00BABA60
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00B8ABA0	8_2_00B8ABA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BCDB80	8_2_00BCDB80
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BC0360	8_2_00BC0360
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BD3350	8_2_00BD3350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BB8C90	8_2_00BB8C90
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00C145E0	8_2_00C145E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BB6590	8_2_00BB6590
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BA8570	8_2_00BA8570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BADE70	8_2_00BADE70
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BB7660	8_2_00BB7660
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BB0FB0	8_2_00BB0FB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BA0780	8_2_00BA0780
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BA4730	8_2_00BA4730
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BBA700	8_2_00BBA700
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00B8A770	8_2_00B8A770
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BAA760	8_2_00BAA760
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00C60880	8_2_00C60880
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00C64008	8_2_00C64008
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00B82050	8_2_00B82050
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BF2170	8_2_00BF2170
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00B9A150	8_2_00B9A150
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00C1D2C0	8_2_00C1D2C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00B822C0	8_2_00B822C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BB02C0	8_2_00BB02C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00C69A4F	8_2_00C69A4F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00C01A50	8_2_00C01A50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00C12360	8_2_00C12360
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00C0BCC0	8_2_00C0BCC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BFF4D0	8_2_00BFF4D0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00C04D30	8_2_00C04D30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00C0D530	8_2_00C0D530
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00C0DE70	8_2_00C0DE70
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00BF07B0	8_2_00BF07B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00C00FD0	8_2_00C00FD0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00FF9C70 appears 36 times
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: String function: 00BE9C70 appears 32 times

Source: ladas[1].exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MF0uP9gfhtzQk0nmPHvh.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: Sc7F78Jv4MgkpAFnc7lD.exe.6.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ladas[1].exe.7.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: Utp0jUqZeU8scbGMpad8.exe.7.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ladas[1].exe.8.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 3GOT3GAXnZqbKvGYOMGC.exe.8.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: file.exe, 00000000.00000002.2982010495.00000000010C7000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMSBuild.exeR vs file.exe
Source: file.exe, 00000000.00000002.2980461301.0000000000F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSBuild.exeR vs file.exe

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: profapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: netutils.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: propsys.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: edputil.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: slc.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: userenv.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sppc.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: mlang.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: acgenral.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: winmm.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: samcli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: msacm32.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: version.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: userenv.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: dwmapi.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: mpr.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: netutils.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: aclayers.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: sfc.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: wininet.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: acgenral.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: winmm.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: samcli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: msacm32.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: version.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: userenv.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: dwmapi.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: mpr.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: netutils.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: aclayers.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: sfc.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: wininet.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Section loaded: onecoreuapcommonproxystub.dll

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9994673295454546
Source: file.exe	Static PE information: Section: nlyzwaah ZLIB complexity 0.9910513154479383
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9994673295454546
Source: RageMP131.exe.0.dr	Static PE information: Section: nlyzwaah ZLIB complexity 0.9910513154479383
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9994673295454546
Source: MPGPH131.exe.0.dr	Static PE information: Section: nlyzwaah ZLIB complexity 0.9910513154479383
Source: plaza[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9996970749728851
Source: plaza[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9966190732758621
Source: plaza[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.99484375
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9996970749728851
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9966190732758621
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: Section: ZLIB complexity 0.99484375
Source: ladas[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9999914336622807
Source: MF0uP9gfhtzQk0nmPHvh.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9999914336622807
Source: EdgeMS131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9976917613636364
Source: EdgeMS131.exe.0.dr	Static PE information: Section: wplfwedx ZLIB complexity 0.994152472892023
Source: niks[1].exe.0.dr	Static PE information: Section: rgatmioc ZLIB complexity 0.9945738784195659
Source: Oqz1gKr60kpGbxg1Y8oi.exe.0.dr	Static PE information: Section: rgatmioc ZLIB complexity 0.9945738784195659
Source: amert[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9976917613636364
Source: amert[1].exe.0.dr	Static PE information: Section: wplfwedx ZLIB complexity 0.994152472892023
Source: _z8_twA5gL3uyAKSYBl4.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9976917613636364
Source: _z8_twA5gL3uyAKSYBl4.exe.0.dr	Static PE information: Section: wplfwedx ZLIB complexity 0.994152472892023
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9976917613636364
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: Section: wplfwedx ZLIB complexity 0.994152472892023
Source: MSIUpdaterV131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9976917613636364
Source: MSIUpdaterV131.exe.0.dr	Static PE information: Section: wplfwedx ZLIB complexity 0.994152472892023
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9996970749728851
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9966190732758621
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: Section: ZLIB complexity 0.99484375
Source: Sc7F78Jv4MgkpAFnc7lD.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9999914336622807
Source: tL_fuTzDWfh0VWCLkvvf.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9976917613636364
Source: tL_fuTzDWfh0VWCLkvvf.exe.6.dr	Static PE information: Section: wplfwedx ZLIB complexity 0.994152472892023
Source: lraj6KX6dVjpCpYcPfhj.exe.6.dr	Static PE information: Section: rgatmioc ZLIB complexity 0.9945738784195659
Source: plaza[1].exe.7.dr	Static PE information: Section: ZLIB complexity 0.9996970749728851
Source: plaza[1].exe.7.dr	Static PE information: Section: ZLIB complexity 0.9966190732758621
Source: plaza[1].exe.7.dr	Static PE information: Section: ZLIB complexity 0.99484375
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9996970749728851
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9966190732758621
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: Section: ZLIB complexity 0.99484375
Source: ladas[1].exe.7.dr	Static PE information: Section: ZLIB complexity 0.9999914336622807
Source: Utp0jUqZeU8scbGMpad8.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9999914336622807
Source: amert[2].exe.7.dr	Static PE information: Section: ZLIB complexity 0.9976917613636364
Source: amert[2].exe.7.dr	Static PE information: Section: wplfwedx ZLIB complexity 0.994152472892023
Source: vyOycan6EgXUKkno1qul.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9976917613636364
Source: vyOycan6EgXUKkno1qul.exe.7.dr	Static PE information: Section: wplfwedx ZLIB complexity 0.994152472892023
Source: niks[1].exe.7.dr	Static PE information: Section: rgatmioc ZLIB complexity 0.9945738784195659
Source: ApPQmeGzxQP3KtH6lKvJ.exe.7.dr	Static PE information: Section: rgatmioc ZLIB complexity 0.9945738784195659
Source: niks[1].exe.8.dr	Static PE information: Section: rgatmioc ZLIB complexity 0.9945738784195659
Source: pZpo0gU01Jxx21DdQmVG.exe.8.dr	Static PE information: Section: rgatmioc ZLIB complexity 0.9945738784195659
Source: plaza[1].exe.8.dr	Static PE information: Section: ZLIB complexity 0.9996970749728851
Source: plaza[1].exe.8.dr	Static PE information: Section: ZLIB complexity 0.9966190732758621
Source: plaza[1].exe.8.dr	Static PE information: Section: ZLIB complexity 0.99484375
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: Section: ZLIB complexity 0.9996970749728851
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: Section: ZLIB complexity 0.9966190732758621
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: Section: ZLIB complexity 0.99484375
Source: ladas[1].exe.8.dr	Static PE information: Section: ZLIB complexity 0.9999914336622807
Source: 3GOT3GAXnZqbKvGYOMGC.exe.8.dr	Static PE information: Section: ZLIB complexity 0.9999914336622807
Source: amert[1].exe.8.dr	Static PE information: Section: ZLIB complexity 0.9976917613636364
Source: amert[1].exe.8.dr	Static PE information: Section: wplfwedx ZLIB complexity 0.994152472892023
Source: tTuIhXRskVqio6hWX3MJ.exe.8.dr	Static PE information: Section: ZLIB complexity 0.9976917613636364
Source: tTuIhXRskVqio6hWX3MJ.exe.8.dr	Static PE information: Section: wplfwedx ZLIB complexity 0.994152472892023

Source: ladas[1].exe.7.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: ladas[1].exe.8.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: MF0uP9gfhtzQk0nmPHvh.exe.0.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: ladas[1].exe.0.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: Utp0jUqZeU8scbGMpad8.exe.7.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 3GOT3GAXnZqbKvGYOMGC.exe.8.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: Sc7F78Jv4MgkpAFnc7lD.exe.6.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@211/936@0/88

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Code function: 8_2_00B8ABA0 CreateToolhelp32Snapshot,

8_2_00B8ABA0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\SIHClient.exe	Mutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:10008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1672:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: file.exe, 00000000.00000002.2980859971.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1999562541.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2065812545.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2066983405.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2991732572.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2168758239.0000000004950000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2878089392.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001A.00000003.2360402306.0000000005230000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2980859971.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1999562541.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2065812545.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2066983405.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2991732572.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2168758239.0000000004950000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2878089392.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001A.00000003.2360402306.0000000005230000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.2113876416.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2614228154.0000000005C43000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2119322511.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2116666400.0000000000977000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2650881553.0000000005C43000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2322405219.0000000005C43000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2267645108.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2264457560.0000000005AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2269803789.0000000005AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv oDBIuu78qUSLDogbPZYF5w.0.2
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe "C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe"
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.youtube.com/
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.linkedin.com/login
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.facebook.com/video
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 --field-trial-handle=1964,i,5887355526268781908,1189009886419855111,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.google.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1984,i,6749347610235560040,8445991958934204639,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2020,i,9349519310739507833,11996823178141009930,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1976,i,11539279321236040917,10474362654299226247,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=2080,i,6001142355176275865,11694759345999334586,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1452 --field-trial-handle=2028,i,4605008049051892939,13077336860849041403,262144 /prefetch:3
Source: unknown	Process created: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1120 --field-trial-handle=2024,i,16006183332478894821,13298773514920591943,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com --attempting-deelevation
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2720 --field-trial-handle=2600,i,3848527723112303336,5816276702811820383,262144 /prefetch:3
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: unknown	Process created: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video --attempting-deelevation
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe "C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe"
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2260 -parentBuildID 20230927232528 -prefsHandle 2164 -prefMapHandle 2156 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78885992-7c24-4bea-b4cd-80bc1adb5941} 10616 "\\.\pipe\gecko-crash-server-pipe.10616" 1fbfe16e710 socket
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6352 --field-trial-handle=2600,i,3848527723112303336,5816276702811820383,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6656 --field-trial-handle=2600,i,3848527723112303336,5816276702811820383,262144 /prefetch:8
Source: unknown	Process created: C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe "C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 1 -isForBrowser -prefsHandle 1216 -prefMapHandle 3664 -prefsLen 21867 -prefMapSize 237879 -jsInitHandle 1416 -jsInitLen 234236 -parentBuildID 20230927232528 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe175a33-28a2-4047-aeec-757513839c5e} 10616 "\\.\pipe\gecko-crash-server-pipe.10616" 1fb8f78ca10 tab
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2556 -childID 2 -isForBrowser -prefsHandle 4004 -prefMapHandle 2968 -prefsLen 22057 -prefMapSize 237879 -jsInitHandle 1416 -jsInitLen 234236 -parentBuildID 20230927232528 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a7ce19a-c0e1-4606-ade3-f9e411e1fb00} 10616 "\\.\pipe\gecko-crash-server-pipe.10616" 1fb8b43cf50 tab
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe "C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe "C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv oDBIuu78qUSLDogbPZYF5w.0.2
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.youtube.com/
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.linkedin.com/login
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.google.com/
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 --field-trial-handle=1964,i,5887355526268781908,1189009886419855111,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1984,i,6749347610235560040,8445991958934204639,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2020,i,9349519310739507833,11996823178141009930,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1976,i,11539279321236040917,10474362654299226247,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=2080,i,6001142355176275865,11694759345999334586,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1452 --field-trial-handle=2028,i,4605008049051892939,13077336860849041403,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1120 --field-trial-handle=2024,i,16006183332478894821,13298773514920591943,262144 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2720 --field-trial-handle=2600,i,3848527723112303336,5816276702811820383,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6352 --field-trial-handle=2600,i,3848527723112303336,5816276702811820383,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6656 --field-trial-handle=2600,i,3848527723112303336,5816276702811820383,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2260 -parentBuildID 20230927232528 -prefsHandle 2164 -prefMapHandle 2156 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78885992-7c24-4bea-b4cd-80bc1adb5941} 10616 "\\.\pipe\gecko-crash-server-pipe.10616" 1fbfe16e710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 1 -isForBrowser -prefsHandle 1216 -prefMapHandle 3664 -prefsLen 21867 -prefMapSize 237879 -jsInitHandle 1416 -jsInitLen 234236 -parentBuildID 20230927232528 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe175a33-28a2-4047-aeec-757513839c5e} 10616 "\\.\pipe\gecko-crash-server-pipe.10616" 1fb8f78ca10 tab
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2556 -childID 2 -isForBrowser -prefsHandle 4004 -prefMapHandle 2968 -prefsLen 22057 -prefMapSize 237879 -jsInitHandle 1416 -jsInitLen 234236 -parentBuildID 20230927232528 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a7ce19a-c0e1-4606-ade3-f9e411e1fb00} 10616 "\\.\pipe\gecko-crash-server-pipe.10616" 1fb8b43cf50 tab
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Process created: unknown unknown

Source: C:\Windows\System32\SIHClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07369A67-07A6-4608-ABEA-379491CB7C46}\InprocServer32

Source: EdgeMS131.lnk.0.dr	LNK file: ..\..\..\..\..\..\Local\Temp\EdgeMS131\EdgeMS131.exe
Source: Google Drive.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: file.exe

Static file information: File size 2332672 > 1048576

Source: file.exe

Static PE information: Raw size of nlyzwaah is bigger than: 0x100000 < 0x1a5600

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.f90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nlyzwaah:EW;lkbejoib:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nlyzwaah:EW;lkbejoib:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 8.2.RageMP131.exe.b80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nlyzwaah:EW;lkbejoib:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nlyzwaah:EW;lkbejoib:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 26.2.RageMP131.exe.b80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nlyzwaah:EW;lkbejoib:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nlyzwaah:EW;lkbejoib:EW;.taggant:EW;
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Unpacked PE file: 33.2.MSIUpdaterV131.exe.650000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wplfwedx:EW;ykkhrrnz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wplfwedx:EW;ykkhrrnz:EW;.taggant:EW;
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Unpacked PE file: 42.2.MSIUpdaterV131.exe.650000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wplfwedx:EW;ykkhrrnz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wplfwedx:EW;ykkhrrnz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Unpacked PE file: 44.2._z8_twA5gL3uyAKSYBl4.exe.ca0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wplfwedx:EW;ykkhrrnz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wplfwedx:EW;ykkhrrnz:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: ladas[1].exe.7.dr	Static PE information: real checksum: 0x2506c6 should be: 0x24cfda
Source: amert[1].exe.0.dr	Static PE information: real checksum: 0x1d5591 should be: 0x1ce2cc
Source: plaza[1].exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x2f2766
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x2f2766
Source: amert[2].exe.7.dr	Static PE information: real checksum: 0x1d5591 should be: 0x1ce2cc
Source: amert[1].exe.8.dr	Static PE information: real checksum: 0x1d5591 should be: 0x1ce2cc
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x2f2766
Source: ladas[1].exe.8.dr	Static PE information: real checksum: 0x2506c6 should be: 0x24cfda
Source: MF0uP9gfhtzQk0nmPHvh.exe.0.dr	Static PE information: real checksum: 0x2506c6 should be: 0x24cfda
Source: plaza[1].exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x2f2766
Source: plaza[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x2f2766
Source: EdgeMS131.exe.0.dr	Static PE information: real checksum: 0x1d5591 should be: 0x1ce2cc
Source: vyOycan6EgXUKkno1qul.exe.7.dr	Static PE information: real checksum: 0x1d5591 should be: 0x1ce2cc
Source: file.exe	Static PE information: real checksum: 0x245d55 should be: 0x240507
Source: ladas[1].exe.0.dr	Static PE information: real checksum: 0x2506c6 should be: 0x24cfda
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x2f2766
Source: Utp0jUqZeU8scbGMpad8.exe.7.dr	Static PE information: real checksum: 0x2506c6 should be: 0x24cfda
Source: tTuIhXRskVqio6hWX3MJ.exe.8.dr	Static PE information: real checksum: 0x1d5591 should be: 0x1ce2cc
Source: MSIUpdaterV131.exe.0.dr	Static PE information: real checksum: 0x1d5591 should be: 0x1ce2cc
Source: RageMP131.exe.0.dr	Static PE information: real checksum: 0x245d55 should be: 0x240507
Source: 3GOT3GAXnZqbKvGYOMGC.exe.8.dr	Static PE information: real checksum: 0x2506c6 should be: 0x24cfda
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: real checksum: 0x1d5591 should be: 0x1ce2cc
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x2f2766
Source: Sc7F78Jv4MgkpAFnc7lD.exe.6.dr	Static PE information: real checksum: 0x2506c6 should be: 0x24cfda
Source: _z8_twA5gL3uyAKSYBl4.exe.0.dr	Static PE information: real checksum: 0x1d5591 should be: 0x1ce2cc
Source: MPGPH131.exe.0.dr	Static PE information: real checksum: 0x245d55 should be: 0x240507
Source: tL_fuTzDWfh0VWCLkvvf.exe.6.dr	Static PE information: real checksum: 0x1d5591 should be: 0x1ce2cc

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: nlyzwaah
Source: file.exe	Static PE information: section name: lkbejoib
Source: file.exe	Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: nlyzwaah
Source: RageMP131.exe.0.dr	Static PE information: section name: lkbejoib
Source: RageMP131.exe.0.dr	Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: nlyzwaah
Source: MPGPH131.exe.0.dr	Static PE information: section name: lkbejoib
Source: MPGPH131.exe.0.dr	Static PE information: section name: .taggant
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: plaza[1].exe.0.dr	Static PE information: section name:
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: section name:
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: section name:
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: section name:
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: section name:
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: section name:
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: section name:
Source: ladas[1].exe.0.dr	Static PE information: section name:
Source: ladas[1].exe.0.dr	Static PE information: section name: .idata
Source: ladas[1].exe.0.dr	Static PE information: section name:
Source: ladas[1].exe.0.dr	Static PE information: section name: jsijvwkm
Source: ladas[1].exe.0.dr	Static PE information: section name: qxzfqftw
Source: ladas[1].exe.0.dr	Static PE information: section name: .taggant
Source: MF0uP9gfhtzQk0nmPHvh.exe.0.dr	Static PE information: section name:
Source: MF0uP9gfhtzQk0nmPHvh.exe.0.dr	Static PE information: section name: .idata
Source: MF0uP9gfhtzQk0nmPHvh.exe.0.dr	Static PE information: section name:
Source: MF0uP9gfhtzQk0nmPHvh.exe.0.dr	Static PE information: section name: jsijvwkm
Source: MF0uP9gfhtzQk0nmPHvh.exe.0.dr	Static PE information: section name: qxzfqftw
Source: MF0uP9gfhtzQk0nmPHvh.exe.0.dr	Static PE information: section name: .taggant
Source: EdgeMS131.exe.0.dr	Static PE information: section name:
Source: EdgeMS131.exe.0.dr	Static PE information: section name: .idata
Source: EdgeMS131.exe.0.dr	Static PE information: section name:
Source: EdgeMS131.exe.0.dr	Static PE information: section name: wplfwedx
Source: EdgeMS131.exe.0.dr	Static PE information: section name: ykkhrrnz
Source: EdgeMS131.exe.0.dr	Static PE information: section name: .taggant
Source: niks[1].exe.0.dr	Static PE information: section name:
Source: niks[1].exe.0.dr	Static PE information: section name: .idata
Source: niks[1].exe.0.dr	Static PE information: section name:
Source: niks[1].exe.0.dr	Static PE information: section name: rgatmioc
Source: niks[1].exe.0.dr	Static PE information: section name: ibjqbcyw
Source: Oqz1gKr60kpGbxg1Y8oi.exe.0.dr	Static PE information: section name:
Source: Oqz1gKr60kpGbxg1Y8oi.exe.0.dr	Static PE information: section name: .idata
Source: Oqz1gKr60kpGbxg1Y8oi.exe.0.dr	Static PE information: section name:
Source: Oqz1gKr60kpGbxg1Y8oi.exe.0.dr	Static PE information: section name: rgatmioc
Source: Oqz1gKr60kpGbxg1Y8oi.exe.0.dr	Static PE information: section name: ibjqbcyw
Source: amert[1].exe.0.dr	Static PE information: section name:
Source: amert[1].exe.0.dr	Static PE information: section name: .idata
Source: amert[1].exe.0.dr	Static PE information: section name:
Source: amert[1].exe.0.dr	Static PE information: section name: wplfwedx
Source: amert[1].exe.0.dr	Static PE information: section name: ykkhrrnz
Source: amert[1].exe.0.dr	Static PE information: section name: .taggant
Source: _z8_twA5gL3uyAKSYBl4.exe.0.dr	Static PE information: section name:
Source: _z8_twA5gL3uyAKSYBl4.exe.0.dr	Static PE information: section name: .idata
Source: _z8_twA5gL3uyAKSYBl4.exe.0.dr	Static PE information: section name:
Source: _z8_twA5gL3uyAKSYBl4.exe.0.dr	Static PE information: section name: wplfwedx
Source: _z8_twA5gL3uyAKSYBl4.exe.0.dr	Static PE information: section name: ykkhrrnz
Source: _z8_twA5gL3uyAKSYBl4.exe.0.dr	Static PE information: section name: .taggant
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name:
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name: .idata
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name:
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name: wplfwedx
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name: ykkhrrnz
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name: .taggant
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name:
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name: .idata
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name:
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name: wplfwedx
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name: ykkhrrnz
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name: .taggant
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: section name:
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: section name:
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: section name:
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: section name:
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: section name:
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: section name:
Source: Sc7F78Jv4MgkpAFnc7lD.exe.6.dr	Static PE information: section name:
Source: Sc7F78Jv4MgkpAFnc7lD.exe.6.dr	Static PE information: section name: .idata
Source: Sc7F78Jv4MgkpAFnc7lD.exe.6.dr	Static PE information: section name:
Source: Sc7F78Jv4MgkpAFnc7lD.exe.6.dr	Static PE information: section name: jsijvwkm
Source: Sc7F78Jv4MgkpAFnc7lD.exe.6.dr	Static PE information: section name: qxzfqftw
Source: Sc7F78Jv4MgkpAFnc7lD.exe.6.dr	Static PE information: section name: .taggant
Source: tL_fuTzDWfh0VWCLkvvf.exe.6.dr	Static PE information: section name:
Source: tL_fuTzDWfh0VWCLkvvf.exe.6.dr	Static PE information: section name: .idata
Source: tL_fuTzDWfh0VWCLkvvf.exe.6.dr	Static PE information: section name:
Source: tL_fuTzDWfh0VWCLkvvf.exe.6.dr	Static PE information: section name: wplfwedx
Source: tL_fuTzDWfh0VWCLkvvf.exe.6.dr	Static PE information: section name: ykkhrrnz
Source: tL_fuTzDWfh0VWCLkvvf.exe.6.dr	Static PE information: section name: .taggant
Source: lraj6KX6dVjpCpYcPfhj.exe.6.dr	Static PE information: section name:
Source: lraj6KX6dVjpCpYcPfhj.exe.6.dr	Static PE information: section name: .idata
Source: lraj6KX6dVjpCpYcPfhj.exe.6.dr	Static PE information: section name:
Source: lraj6KX6dVjpCpYcPfhj.exe.6.dr	Static PE information: section name: rgatmioc
Source: lraj6KX6dVjpCpYcPfhj.exe.6.dr	Static PE information: section name: ibjqbcyw
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: plaza[1].exe.7.dr	Static PE information: section name:
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: section name:
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: section name:
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: section name:
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: section name:
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: section name:
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: section name:
Source: ladas[1].exe.7.dr	Static PE information: section name:
Source: ladas[1].exe.7.dr	Static PE information: section name: .idata
Source: ladas[1].exe.7.dr	Static PE information: section name:
Source: ladas[1].exe.7.dr	Static PE information: section name: jsijvwkm
Source: ladas[1].exe.7.dr	Static PE information: section name: qxzfqftw
Source: ladas[1].exe.7.dr	Static PE information: section name: .taggant
Source: Utp0jUqZeU8scbGMpad8.exe.7.dr	Static PE information: section name:
Source: Utp0jUqZeU8scbGMpad8.exe.7.dr	Static PE information: section name: .idata
Source: Utp0jUqZeU8scbGMpad8.exe.7.dr	Static PE information: section name:
Source: Utp0jUqZeU8scbGMpad8.exe.7.dr	Static PE information: section name: jsijvwkm
Source: Utp0jUqZeU8scbGMpad8.exe.7.dr	Static PE information: section name: qxzfqftw
Source: Utp0jUqZeU8scbGMpad8.exe.7.dr	Static PE information: section name: .taggant
Source: amert[2].exe.7.dr	Static PE information: section name:
Source: amert[2].exe.7.dr	Static PE information: section name: .idata
Source: amert[2].exe.7.dr	Static PE information: section name:
Source: amert[2].exe.7.dr	Static PE information: section name: wplfwedx
Source: amert[2].exe.7.dr	Static PE information: section name: ykkhrrnz
Source: amert[2].exe.7.dr	Static PE information: section name: .taggant
Source: vyOycan6EgXUKkno1qul.exe.7.dr	Static PE information: section name:
Source: vyOycan6EgXUKkno1qul.exe.7.dr	Static PE information: section name: .idata
Source: vyOycan6EgXUKkno1qul.exe.7.dr	Static PE information: section name:
Source: vyOycan6EgXUKkno1qul.exe.7.dr	Static PE information: section name: wplfwedx
Source: vyOycan6EgXUKkno1qul.exe.7.dr	Static PE information: section name: ykkhrrnz
Source: vyOycan6EgXUKkno1qul.exe.7.dr	Static PE information: section name: .taggant
Source: niks[1].exe.7.dr	Static PE information: section name:
Source: niks[1].exe.7.dr	Static PE information: section name: .idata
Source: niks[1].exe.7.dr	Static PE information: section name:
Source: niks[1].exe.7.dr	Static PE information: section name: rgatmioc
Source: niks[1].exe.7.dr	Static PE information: section name: ibjqbcyw
Source: ApPQmeGzxQP3KtH6lKvJ.exe.7.dr	Static PE information: section name:
Source: ApPQmeGzxQP3KtH6lKvJ.exe.7.dr	Static PE information: section name: .idata
Source: ApPQmeGzxQP3KtH6lKvJ.exe.7.dr	Static PE information: section name:
Source: ApPQmeGzxQP3KtH6lKvJ.exe.7.dr	Static PE information: section name: rgatmioc
Source: ApPQmeGzxQP3KtH6lKvJ.exe.7.dr	Static PE information: section name: ibjqbcyw
Source: niks[1].exe.8.dr	Static PE information: section name:
Source: niks[1].exe.8.dr	Static PE information: section name: .idata
Source: niks[1].exe.8.dr	Static PE information: section name:
Source: niks[1].exe.8.dr	Static PE information: section name: rgatmioc
Source: niks[1].exe.8.dr	Static PE information: section name: ibjqbcyw
Source: pZpo0gU01Jxx21DdQmVG.exe.8.dr	Static PE information: section name:
Source: pZpo0gU01Jxx21DdQmVG.exe.8.dr	Static PE information: section name: .idata
Source: pZpo0gU01Jxx21DdQmVG.exe.8.dr	Static PE information: section name:
Source: pZpo0gU01Jxx21DdQmVG.exe.8.dr	Static PE information: section name: rgatmioc
Source: pZpo0gU01Jxx21DdQmVG.exe.8.dr	Static PE information: section name: ibjqbcyw
Source: plaza[1].exe.8.dr	Static PE information: section name:
Source: plaza[1].exe.8.dr	Static PE information: section name:
Source: plaza[1].exe.8.dr	Static PE information: section name:
Source: plaza[1].exe.8.dr	Static PE information: section name:
Source: plaza[1].exe.8.dr	Static PE information: section name:
Source: plaza[1].exe.8.dr	Static PE information: section name:
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: section name:
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: section name:
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: section name:
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: section name:
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: section name:
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: section name:
Source: ladas[1].exe.8.dr	Static PE information: section name:
Source: ladas[1].exe.8.dr	Static PE information: section name: .idata
Source: ladas[1].exe.8.dr	Static PE information: section name:
Source: ladas[1].exe.8.dr	Static PE information: section name: jsijvwkm
Source: ladas[1].exe.8.dr	Static PE information: section name: qxzfqftw
Source: ladas[1].exe.8.dr	Static PE information: section name: .taggant
Source: 3GOT3GAXnZqbKvGYOMGC.exe.8.dr	Static PE information: section name:
Source: 3GOT3GAXnZqbKvGYOMGC.exe.8.dr	Static PE information: section name: .idata
Source: 3GOT3GAXnZqbKvGYOMGC.exe.8.dr	Static PE information: section name:
Source: 3GOT3GAXnZqbKvGYOMGC.exe.8.dr	Static PE information: section name: jsijvwkm
Source: 3GOT3GAXnZqbKvGYOMGC.exe.8.dr	Static PE information: section name: qxzfqftw
Source: 3GOT3GAXnZqbKvGYOMGC.exe.8.dr	Static PE information: section name: .taggant
Source: amert[1].exe.8.dr	Static PE information: section name:
Source: amert[1].exe.8.dr	Static PE information: section name: .idata
Source: amert[1].exe.8.dr	Static PE information: section name:
Source: amert[1].exe.8.dr	Static PE information: section name: wplfwedx
Source: amert[1].exe.8.dr	Static PE information: section name: ykkhrrnz
Source: amert[1].exe.8.dr	Static PE information: section name: .taggant
Source: tTuIhXRskVqio6hWX3MJ.exe.8.dr	Static PE information: section name:
Source: tTuIhXRskVqio6hWX3MJ.exe.8.dr	Static PE information: section name: .idata
Source: tTuIhXRskVqio6hWX3MJ.exe.8.dr	Static PE information: section name:
Source: tTuIhXRskVqio6hWX3MJ.exe.8.dr	Static PE information: section name: wplfwedx
Source: tTuIhXRskVqio6hWX3MJ.exe.8.dr	Static PE information: section name: ykkhrrnz
Source: tTuIhXRskVqio6hWX3MJ.exe.8.dr	Static PE information: section name: .taggant
Source: gmpopenh264.dll.tmp.41.dr	Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106D638 push ecx; ret	0_2_0106D64B
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00CB1660 push ss; retf	8_2_00CB1676
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00C5D638 push ecx; ret	8_2_00C5D64B

Source: file.exe	Static PE information: section name: entropy: 7.989426793160249
Source: file.exe	Static PE information: section name: nlyzwaah entropy: 7.9524435905525435
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.989426793160249
Source: RageMP131.exe.0.dr	Static PE information: section name: nlyzwaah entropy: 7.9524435905525435
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.989426793160249
Source: MPGPH131.exe.0.dr	Static PE information: section name: nlyzwaah entropy: 7.9524435905525435
Source: plaza[1].exe.0.dr	Static PE information: section name: entropy: 7.999450655305451
Source: plaza[1].exe.0.dr	Static PE information: section name: entropy: 7.994986669725754
Source: plaza[1].exe.0.dr	Static PE information: section name: entropy: 7.318594193980733
Source: plaza[1].exe.0.dr	Static PE information: section name: entropy: 7.9862070793068245
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: section name: entropy: 7.999450655305451
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: section name: entropy: 7.994986669725754
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: section name: entropy: 7.318594193980733
Source: N6QvjPQDZQjnaZdnVBvT.exe.0.dr	Static PE information: section name: entropy: 7.9862070793068245
Source: ladas[1].exe.0.dr	Static PE information: section name: entropy: 7.98375592827691
Source: ladas[1].exe.0.dr	Static PE information: section name: jsijvwkm entropy: 7.951241358317988
Source: MF0uP9gfhtzQk0nmPHvh.exe.0.dr	Static PE information: section name: entropy: 7.98375592827691
Source: MF0uP9gfhtzQk0nmPHvh.exe.0.dr	Static PE information: section name: jsijvwkm entropy: 7.951241358317988
Source: EdgeMS131.exe.0.dr	Static PE information: section name: entropy: 7.982650862492596
Source: EdgeMS131.exe.0.dr	Static PE information: section name: wplfwedx entropy: 7.953445492648589
Source: niks[1].exe.0.dr	Static PE information: section name: entropy: 7.743784611272952
Source: niks[1].exe.0.dr	Static PE information: section name: rgatmioc entropy: 7.953140352640298
Source: Oqz1gKr60kpGbxg1Y8oi.exe.0.dr	Static PE information: section name: entropy: 7.743784611272952
Source: Oqz1gKr60kpGbxg1Y8oi.exe.0.dr	Static PE information: section name: rgatmioc entropy: 7.953140352640298
Source: amert[1].exe.0.dr	Static PE information: section name: entropy: 7.982650862492596
Source: amert[1].exe.0.dr	Static PE information: section name: wplfwedx entropy: 7.953445492648589
Source: _z8_twA5gL3uyAKSYBl4.exe.0.dr	Static PE information: section name: entropy: 7.982650862492596
Source: _z8_twA5gL3uyAKSYBl4.exe.0.dr	Static PE information: section name: wplfwedx entropy: 7.953445492648589
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name: entropy: 7.982650862492596
Source: AdobeUpdaterV131.exe.0.dr	Static PE information: section name: wplfwedx entropy: 7.953445492648589
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name: entropy: 7.982650862492596
Source: MSIUpdaterV131.exe.0.dr	Static PE information: section name: wplfwedx entropy: 7.953445492648589
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: section name: entropy: 7.999450655305451
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: section name: entropy: 7.994986669725754
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: section name: entropy: 7.318594193980733
Source: SCqW_P_cJpDWINh51hrr.exe.6.dr	Static PE information: section name: entropy: 7.9862070793068245
Source: Sc7F78Jv4MgkpAFnc7lD.exe.6.dr	Static PE information: section name: entropy: 7.98375592827691
Source: Sc7F78Jv4MgkpAFnc7lD.exe.6.dr	Static PE information: section name: jsijvwkm entropy: 7.951241358317988
Source: tL_fuTzDWfh0VWCLkvvf.exe.6.dr	Static PE information: section name: entropy: 7.982650862492596
Source: tL_fuTzDWfh0VWCLkvvf.exe.6.dr	Static PE information: section name: wplfwedx entropy: 7.953445492648589
Source: lraj6KX6dVjpCpYcPfhj.exe.6.dr	Static PE information: section name: entropy: 7.743784611272952
Source: lraj6KX6dVjpCpYcPfhj.exe.6.dr	Static PE information: section name: rgatmioc entropy: 7.953140352640298
Source: plaza[1].exe.7.dr	Static PE information: section name: entropy: 7.999450655305451
Source: plaza[1].exe.7.dr	Static PE information: section name: entropy: 7.994986669725754
Source: plaza[1].exe.7.dr	Static PE information: section name: entropy: 7.318594193980733
Source: plaza[1].exe.7.dr	Static PE information: section name: entropy: 7.9862070793068245
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: section name: entropy: 7.999450655305451
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: section name: entropy: 7.994986669725754
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: section name: entropy: 7.318594193980733
Source: 2fck4tppkbHBVDQlLEGf.exe.7.dr	Static PE information: section name: entropy: 7.9862070793068245
Source: ladas[1].exe.7.dr	Static PE information: section name: entropy: 7.98375592827691
Source: ladas[1].exe.7.dr	Static PE information: section name: jsijvwkm entropy: 7.951241358317988
Source: Utp0jUqZeU8scbGMpad8.exe.7.dr	Static PE information: section name: entropy: 7.98375592827691
Source: Utp0jUqZeU8scbGMpad8.exe.7.dr	Static PE information: section name: jsijvwkm entropy: 7.951241358317988
Source: amert[2].exe.7.dr	Static PE information: section name: entropy: 7.982650862492596
Source: amert[2].exe.7.dr	Static PE information: section name: wplfwedx entropy: 7.953445492648589
Source: vyOycan6EgXUKkno1qul.exe.7.dr	Static PE information: section name: entropy: 7.982650862492596
Source: vyOycan6EgXUKkno1qul.exe.7.dr	Static PE information: section name: wplfwedx entropy: 7.953445492648589
Source: niks[1].exe.7.dr	Static PE information: section name: entropy: 7.743784611272952
Source: niks[1].exe.7.dr	Static PE information: section name: rgatmioc entropy: 7.953140352640298
Source: ApPQmeGzxQP3KtH6lKvJ.exe.7.dr	Static PE information: section name: entropy: 7.743784611272952
Source: ApPQmeGzxQP3KtH6lKvJ.exe.7.dr	Static PE information: section name: rgatmioc entropy: 7.953140352640298
Source: niks[1].exe.8.dr	Static PE information: section name: entropy: 7.743784611272952
Source: niks[1].exe.8.dr	Static PE information: section name: rgatmioc entropy: 7.953140352640298
Source: pZpo0gU01Jxx21DdQmVG.exe.8.dr	Static PE information: section name: entropy: 7.743784611272952
Source: pZpo0gU01Jxx21DdQmVG.exe.8.dr	Static PE information: section name: rgatmioc entropy: 7.953140352640298
Source: plaza[1].exe.8.dr	Static PE information: section name: entropy: 7.999450655305451
Source: plaza[1].exe.8.dr	Static PE information: section name: entropy: 7.994986669725754
Source: plaza[1].exe.8.dr	Static PE information: section name: entropy: 7.318594193980733
Source: plaza[1].exe.8.dr	Static PE information: section name: entropy: 7.9862070793068245
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: section name: entropy: 7.999450655305451
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: section name: entropy: 7.994986669725754
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: section name: entropy: 7.318594193980733
Source: q38g6uHDrjZFvFdWaIY2.exe.8.dr	Static PE information: section name: entropy: 7.9862070793068245
Source: ladas[1].exe.8.dr	Static PE information: section name: entropy: 7.98375592827691
Source: ladas[1].exe.8.dr	Static PE information: section name: jsijvwkm entropy: 7.951241358317988
Source: 3GOT3GAXnZqbKvGYOMGC.exe.8.dr	Static PE information: section name: entropy: 7.98375592827691
Source: 3GOT3GAXnZqbKvGYOMGC.exe.8.dr	Static PE information: section name: jsijvwkm entropy: 7.951241358317988
Source: amert[1].exe.8.dr	Static PE information: section name: entropy: 7.982650862492596
Source: amert[1].exe.8.dr	Static PE information: section name: wplfwedx entropy: 7.953445492648589
Source: tTuIhXRskVqio6hWX3MJ.exe.8.dr	Static PE information: section name: entropy: 7.982650862492596
Source: tTuIhXRskVqio6hWX3MJ.exe.8.dr	Static PE information: section name: wplfwedx entropy: 7.953445492648589

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\niks[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amert[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\plaza[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidiP9l4P_8nrPQO\SCqW_P_cJpDWINh51hrr.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidik9H6Jk7uF4lv\ow5lYGAMAmmdqAMRBUVa.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\plaza[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidik9H6Jk7uF4lv\2fck4tppkbHBVDQlLEGf.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidik9H6Jk7uF4lv\vyOycan6EgXUKkno1qul.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidik9H6Jk7uF4lv\Utp0jUqZeU8scbGMpad8.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\niks[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\d34xW9C7tg9XChbetTr2.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amert[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\niks[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\well[1].exe	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\ladas[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\fu[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ladas[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidiP9l4P_8nrPQO\3JwuiAeAcxbhUfG4qx6Q.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\MF0uP9gfhtzQk0nmPHvh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File created: C:\Users\user\AppData\Local\Temp\heidi24o_MSNyMBSg\3GOT3GAXnZqbKvGYOMGC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\EdgeMS131\EdgeMS131.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidik9H6Jk7uF4lv\TrXOE37ZBs5VYYL1rLei.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\fu[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\plaza[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\well[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\N6QvjPQDZQjnaZdnVBvT.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidik9H6Jk7uF4lv\ApPQmeGzxQP3KtH6lKvJ.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidiP9l4P_8nrPQO\Sc7F78Jv4MgkpAFnc7lD.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidiP9l4P_8nrPQO\tL_fuTzDWfh0VWCLkvvf.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\Oqz1gKr60kpGbxg1Y8oi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File created: C:\Users\user\AppData\Local\Temp\heidi24o_MSNyMBSg\4cPGK95IIhu8co_GIahg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File created: C:\Users\user\AppData\Local\Temp\heidi24o_MSNyMBSg\5Jv2cAGgCcc_tsdjHujY.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidiP9l4P_8nrPQO\FAB9iVvhMHF5ed7ylOId.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\ladas[1].exe	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File created: C:\Users\user\AppData\Local\Temp\heidi24o_MSNyMBSg\pZpo0gU01Jxx21DdQmVG.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\amert[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File created: C:\Users\user\AppData\Local\Temp\heidi24o_MSNyMBSg\q38g6uHDrjZFvFdWaIY2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Temp\heidiP9l4P_8nrPQO\lraj6KX6dVjpCpYcPfhj.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\well[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File created: C:\Users\user\AppData\Local\Temp\heidi24o_MSNyMBSg\tTuIhXRskVqio6hWX3MJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\fu[2].exe	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe			Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV131			Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: FilemonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: RegmonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: FilemonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: Regmonclass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: Filemonclass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: FilemonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: RegmonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: FilemonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe

File created: C:\Windows\Tasks\explorgu.job

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV131	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV131	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001237F2B second address: 0000000001237F3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB7Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001237F3C second address: 0000000001237F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF9E21CCEC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001237F46 second address: 0000000001237F4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001242F2A second address: 0000000001242F45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCED7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012431B7 second address: 00000000012431BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012431BB second address: 00000000012431DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF9E21CCED9h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000124346C second address: 00000000012434AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FF9E07FDB83h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c push ebx 0x0000000d jp 00007FF9E07FDB86h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF9E07FDB7Eh 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001243606 second address: 0000000001243624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9E21CCED1h 0x00000009 popad 0x0000000a ja 00007FF9E21CCECCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001243767 second address: 000000000124376C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000124376C second address: 000000000124378B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF9E21CCEC6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jc 00007FF9E21CCECEh 0x00000014 push esi 0x00000015 pop esi 0x00000016 jnl 00007FF9E21CCEC6h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000124378B second address: 00000000012437AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9E07FDB7Ch 0x00000009 jmp 00007FF9E07FDB7Ah 0x0000000e popad 0x0000000f ja 00007FF9E07FDB7Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246C7B second address: 0000000001246CA8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF9E21CCEC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FF9E21CCED7h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246CA8 second address: 0000000001246CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246CAD second address: 0000000001246CB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246CB3 second address: 0000000001246CB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246CB7 second address: 0000000001246CD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF9E21CCED3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246CD6 second address: 0000000001246CDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246DA7 second address: 0000000001246DD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCECCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007FF9E21CCED5h 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246DD7 second address: 0000000001246DDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246DDB second address: 0000000001246DE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246DE5 second address: 0000000001246DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246DE9 second address: 0000000001246E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jno 00007FF9E21CCED3h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 je 00007FF9E21CCECCh 0x0000001b jno 00007FF9E21CCEC6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246E17 second address: 0000000001246E41 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF9E07FDB78h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF9E07FDB88h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246FAB second address: 0000000001246FAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246FAF second address: 0000000001246FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246FB5 second address: 0000000001246FBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246FBC second address: 0000000001246FD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007FF9E07FDB76h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246FD1 second address: 0000000001246FD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246FD7 second address: 0000000001246FDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246FDD second address: 0000000001246FED instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001246FED second address: 0000000001246FF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012470AB second address: 00000000012470AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012470AF second address: 0000000001247107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 688D97BAh 0x0000000e sub dword ptr [ebp+122D1AC7h], ebx 0x00000014 mov edi, dword ptr [ebp+122D395Fh] 0x0000001a lea ebx, dword ptr [ebp+1244AB30h] 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007FF9E07FDB78h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 00000018h 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FF9E07FDB85h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001247165 second address: 00000000012471BA instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF9E21CCED5h 0x00000008 jmp 00007FF9E21CCECFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 mov dword ptr [ebp+122D1AC7h], ebx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007FF9E21CCEC8h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 mov esi, 0E444C28h 0x00000039 push 9E33A2B6h 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 push edx 0x00000042 pop edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012471BA second address: 00000000012471BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001258446 second address: 000000000125844F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000125844F second address: 0000000001258453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012670D1 second address: 00000000012670D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012670D8 second address: 00000000012670DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000126544B second address: 000000000126549D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCECEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007FF9E21CCED8h 0x00000013 popad 0x00000014 jne 00007FF9E21CCEDEh 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000126549D second address: 00000000012654A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012655E1 second address: 00000000012655EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007FF9E21CCEC6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012655EE second address: 000000000126560E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007FF9E07FDB76h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001265B8D second address: 0000000001265B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001265B93 second address: 0000000001265B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001265B97 second address: 0000000001265BBD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF9E21CCEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FF9E21CCED7h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001265BBD second address: 0000000001265BD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 jnp 00007FF9E07FDB88h 0x0000000c jl 00007FF9E07FDB78h 0x00000012 push esi 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001265FDD second address: 0000000001265FE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000125E016 second address: 000000000125E01C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000126674B second address: 0000000001266769 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCED0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FF9E21CCEC6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012668CF second address: 00000000012668D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012668D5 second address: 00000000012668DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012668DB second address: 00000000012668DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012668DF second address: 00000000012668E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012668E3 second address: 00000000012668F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FF9E07FDB76h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012668F7 second address: 0000000001266907 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jg 00007FF9E21CCEC6h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001266BCA second address: 0000000001266BD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001266BD0 second address: 0000000001266BEC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 je 00007FF9E21CCEC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FF9E21CCED0h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001266BEC second address: 0000000001266BF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001266BF2 second address: 0000000001266BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001266F1B second address: 0000000001266F2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FF9E07FDB76h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001266F2B second address: 0000000001266F35 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF9E21CCEC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001269CF3 second address: 0000000001269CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000126A309 second address: 000000000126A30F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000126A30F second address: 000000000126A313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000126A412 second address: 000000000126A418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000126A418 second address: 000000000126A44C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF9E07FDB76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jno 00007FF9E07FDB80h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FF9E07FDB7Fh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000126A44C second address: 000000000126A452 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000126A452 second address: 000000000126A458 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000126A458 second address: 000000000126A45C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000126B8EF second address: 000000000126B8F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000126B8F4 second address: 000000000126B8F9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001234961 second address: 000000000123496D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF9E07FDB76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000123496D second address: 000000000123497D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FF9E21CCECAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000123497D second address: 0000000001234981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001273806 second address: 0000000001273818 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jne 00007FF9E21CCEC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001273818 second address: 000000000127381C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127381C second address: 0000000001273820 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001273820 second address: 0000000001273830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FF9E07FDB76h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001273830 second address: 0000000001273834 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001272D70 second address: 0000000001272D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF9E07FDB76h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push ebx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001272EB5 second address: 0000000001272EC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001273413 second address: 000000000127341A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001275859 second address: 000000000127586C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCECAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127586C second address: 000000000127587B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF9E07FDB76h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012759FA second address: 0000000001275A00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001275A00 second address: 0000000001275A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001275BA2 second address: 0000000001275BA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001275BA6 second address: 0000000001275BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001275BAC second address: 0000000001275BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001275BB2 second address: 0000000001275BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001275BB6 second address: 0000000001275BBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127602C second address: 0000000001276030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001276030 second address: 0000000001276036 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001276441 second address: 0000000001276445 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001276445 second address: 000000000127644E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012774FC second address: 0000000001277506 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF9E07FDB7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012790FC second address: 0000000001279198 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF9E21CCEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b nop 0x0000000c add dword ptr [ebp+122D1F6Eh], ebx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FF9E21CCEC8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e cld 0x0000002f call 00007FF9E21CCED6h 0x00000034 pushad 0x00000035 call 00007FF9E21CCECFh 0x0000003a pop esi 0x0000003b mov si, dx 0x0000003e popad 0x0000003f pop esi 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push ebp 0x00000045 call 00007FF9E21CCEC8h 0x0000004a pop ebp 0x0000004b mov dword ptr [esp+04h], ebp 0x0000004f add dword ptr [esp+04h], 0000001Bh 0x00000057 inc ebp 0x00000058 push ebp 0x00000059 ret 0x0000005a pop ebp 0x0000005b ret 0x0000005c mov dword ptr [ebp+12472727h], edi 0x00000062 and esi, dword ptr [ebp+1244A483h] 0x00000068 xchg eax, ebx 0x00000069 push edx 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001279B2C second address: 0000000001279B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127A6B6 second address: 000000000127A6C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127A6C0 second address: 000000000127A6C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127A6C4 second address: 000000000127A6C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127A6C8 second address: 000000000127A70B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a ja 00007FF9E07FDB82h 0x00000010 push 00000000h 0x00000012 jnp 00007FF9E07FDB8Ah 0x00000018 xchg eax, ebx 0x00000019 jc 00007FF9E07FDB88h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127A70B second address: 000000000127A70F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127CA41 second address: 000000000127CA67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jmp 00007FF9E07FDB7Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF9E07FDB7Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001239A1F second address: 0000000001239A36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCED3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001239A36 second address: 0000000001239A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF9E07FDB85h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127D001 second address: 000000000127D08B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCED1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FF9E21CCEC8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007FF9E21CCEC8h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 00000018h 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 clc 0x00000044 mov edi, dword ptr [ebp+122D1C3Eh] 0x0000004a push 00000000h 0x0000004c mov si, 00B1h 0x00000050 xchg eax, ebx 0x00000051 push edi 0x00000052 pushad 0x00000053 jnp 00007FF9E21CCEC6h 0x00000059 jnc 00007FF9E21CCEC6h 0x0000005f popad 0x00000060 pop edi 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007FF9E21CCECBh 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127EF19 second address: 000000000127EF41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FF9E07FDB76h 0x00000011 je 00007FF9E07FDB76h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127EF41 second address: 000000000127EF4B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF9E21CCEC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127EF4B second address: 000000000127EF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127EF55 second address: 000000000127EF5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127EF5F second address: 000000000127EF75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9E07FDB82h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001282FA3 second address: 0000000001282FA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001283E35 second address: 0000000001283E3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001285CB5 second address: 0000000001285CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001285CBB second address: 0000000001285CBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001287E68 second address: 0000000001287E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001285E60 second address: 0000000001285E66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001287E6C second address: 0000000001287F00 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF9E21CCEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FF9E21CCEC8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D27C2h], ebx 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 call 00007FF9E21CCEC8h 0x00000037 pop edx 0x00000038 mov dword ptr [esp+04h], edx 0x0000003c add dword ptr [esp+04h], 0000001Ch 0x00000044 inc edx 0x00000045 push edx 0x00000046 ret 0x00000047 pop edx 0x00000048 ret 0x00000049 mov ebx, dword ptr [ebp+122D346Eh] 0x0000004f push 00000000h 0x00000051 push 00000000h 0x00000053 push edi 0x00000054 call 00007FF9E21CCEC8h 0x00000059 pop edi 0x0000005a mov dword ptr [esp+04h], edi 0x0000005e add dword ptr [esp+04h], 0000001Ch 0x00000066 inc edi 0x00000067 push edi 0x00000068 ret 0x00000069 pop edi 0x0000006a ret 0x0000006b mov edi, edx 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 push edx 0x00000071 jmp 00007FF9E21CCECCh 0x00000076 pop edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001285E66 second address: 0000000001285F0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov edi, 5F30372Ah 0x00000018 push ebx 0x00000019 xor dword ptr [ebp+122D279Bh], ebx 0x0000001f pop ebx 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push edi 0x0000002a call 00007FF9E07FDB78h 0x0000002f pop edi 0x00000030 mov dword ptr [esp+04h], edi 0x00000034 add dword ptr [esp+04h], 00000018h 0x0000003c inc edi 0x0000003d push edi 0x0000003e ret 0x0000003f pop edi 0x00000040 ret 0x00000041 jp 00007FF9E07FDB80h 0x00000047 jmp 00007FF9E07FDB7Ah 0x0000004c sub ebx, dword ptr [ebp+122D1B1Dh] 0x00000052 mov eax, dword ptr [ebp+122D0DB9h] 0x00000058 jmp 00007FF9E07FDB7Eh 0x0000005d push FFFFFFFFh 0x0000005f push 00000000h 0x00000061 push ebx 0x00000062 call 00007FF9E07FDB78h 0x00000067 pop ebx 0x00000068 mov dword ptr [esp+04h], ebx 0x0000006c add dword ptr [esp+04h], 0000001Ah 0x00000074 inc ebx 0x00000075 push ebx 0x00000076 ret 0x00000077 pop ebx 0x00000078 ret 0x00000079 push eax 0x0000007a push ebx 0x0000007b push eax 0x0000007c push edx 0x0000007d jng 00007FF9E07FDB76h 0x00000083 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001285F0A second address: 0000000001285F0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001288F61 second address: 0000000001288F65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001288F65 second address: 0000000001288FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FF9E21CCEC8h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007FF9E21CCEC8h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 00000018h 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e call 00007FF9E21CCED1h 0x00000043 mov di, D822h 0x00000047 pop ebx 0x00000048 push 00000000h 0x0000004a mov edi, dword ptr [ebp+122D3737h] 0x00000050 xchg eax, esi 0x00000051 jnl 00007FF9E21CCED0h 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007FF9E21CCECEh 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001288FF0 second address: 0000000001288FF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001289266 second address: 0000000001289282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9E21CCED7h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000128B1B6 second address: 000000000128B1BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000128A25E second address: 000000000128A264 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000128B1BC second address: 000000000128B243 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b add dword ptr [ebp+122D1A40h], eax 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FF9E07FDB78h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D26C5h], ecx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ecx 0x00000038 call 00007FF9E07FDB78h 0x0000003d pop ecx 0x0000003e mov dword ptr [esp+04h], ecx 0x00000042 add dword ptr [esp+04h], 00000015h 0x0000004a inc ecx 0x0000004b push ecx 0x0000004c ret 0x0000004d pop ecx 0x0000004e ret 0x0000004f pushad 0x00000050 mov edx, dword ptr [ebp+122D38DBh] 0x00000056 call 00007FF9E07FDB83h 0x0000005b mov di, 9E9Fh 0x0000005f pop esi 0x00000060 popad 0x00000061 xchg eax, esi 0x00000062 push ebx 0x00000063 push eax 0x00000064 push edx 0x00000065 jbe 00007FF9E07FDB76h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000128A264 second address: 000000000128A268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000128C370 second address: 000000000128C3CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FF9E07FDB78h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 ja 00007FF9E07FDB76h 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push esi 0x0000002d call 00007FF9E07FDB78h 0x00000032 pop esi 0x00000033 mov dword ptr [esp+04h], esi 0x00000037 add dword ptr [esp+04h], 00000016h 0x0000003f inc esi 0x00000040 push esi 0x00000041 ret 0x00000042 pop esi 0x00000043 ret 0x00000044 mov di, DE85h 0x00000048 push 00000000h 0x0000004a xchg eax, esi 0x0000004b push eax 0x0000004c push edx 0x0000004d jbe 00007FF9E07FDB7Ch 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000128C3CD second address: 000000000128C3D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000128C3D1 second address: 000000000128C3EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF9E07FDB7Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000128C3EC second address: 000000000128C3F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000128E296 second address: 000000000128E29C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000128E29C second address: 000000000128E2A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FF9E21CCEC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000128B416 second address: 000000000128B431 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b jnp 00007FF9E07FDB7Eh 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000129140C second address: 0000000001291424 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push edx 0x00000008 jmp 00007FF9E21CCECCh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001291424 second address: 000000000129142E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF9E07FDB76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000128D4C0 second address: 000000000128D4C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001291A49 second address: 0000000001291A4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000128D4C6 second address: 000000000128D4CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000128E47C second address: 000000000128E482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001291A4F second address: 0000000001291A53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001292AB2 second address: 0000000001292B09 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF9E07FDB78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FF9E07FDB78h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push 00000000h 0x00000027 mov edi, dword ptr [ebp+122D3883h] 0x0000002d push 00000000h 0x0000002f sub dword ptr [ebp+122D18B7h], ecx 0x00000035 xchg eax, esi 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FF9E07FDB82h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001291CC4 second address: 0000000001291CD6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF9E21CCEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001292B09 second address: 0000000001292B13 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF9E07FDB76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001291CD6 second address: 0000000001291CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001293ACD second address: 0000000001293AF7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF9E07FDB78h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f adc edi, 650BBA02h 0x00000015 push 00000000h 0x00000017 mov ebx, dword ptr [ebp+122D1B98h] 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jne 00007FF9E07FDB78h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001295A3B second address: 0000000001295A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000129BAA2 second address: 000000000129BAA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000129BAA6 second address: 000000000129BAAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012A00C0 second address: 00000000012A00C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012A00C8 second address: 00000000012A00CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012A00CC second address: 00000000012A00D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000129F6FD second address: 000000000129F728 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCECCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF9E21CCECAh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007FF9E21CCECEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000129F728 second address: 000000000129F768 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF9E07FDB89h 0x00000008 jmp 00007FF9E07FDB7Eh 0x0000000d jmp 00007FF9E07FDB84h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000129F768 second address: 000000000129F796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF9E21CCED4h 0x0000000c jmp 00007FF9E21CCED3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000129FA51 second address: 000000000129FA64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9E07FDB7Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000129FA64 second address: 000000000129FA6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000129FA6C second address: 000000000129FA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000129FA72 second address: 000000000129FAD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FF9E21CCED9h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FF9E21CCED4h 0x00000012 jmp 00007FF9E21CCECBh 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FF9E21CCED3h 0x00000020 pushad 0x00000021 push edi 0x00000022 pop edi 0x00000023 pushad 0x00000024 popad 0x00000025 push esi 0x00000026 pop esi 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000129FAD1 second address: 000000000129FAD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000129FAD6 second address: 000000000129FADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012A5026 second address: 00000000012A502A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012A5158 second address: 00000000012A515C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012A515C second address: 00000000012A517C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FF9E07FDB7Dh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012A517C second address: 00000000012A5181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012A5181 second address: 00000000012A51B1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FF9E07FDB81h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e jmp 00007FF9E07FDB7Ch 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012A9645 second address: 00000000012A9666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007FF9E21CCED6h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012A9666 second address: 00000000012A9670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF9E07FDB76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012A9670 second address: 00000000012A9684 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCED0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012A97DB second address: 00000000012A97F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB86h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012A97F5 second address: 00000000012A980B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FF9E21CCECCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012A980B second address: 00000000012A9825 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnc 00007FF9E07FDB76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007FF9E07FDB82h 0x00000012 ja 00007FF9E07FDB7Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012A9D90 second address: 00000000012A9DC4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF9E21CCEE7h 0x00000008 jmp 00007FF9E21CCED3h 0x0000000d jmp 00007FF9E21CCECEh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 jg 00007FF9E21CCECEh 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012AF126 second address: 00000000012AF12C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012AF12C second address: 00000000012AF13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9E21CCECEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012AF13E second address: 00000000012AF142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012AF142 second address: 00000000012AF167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jo 00007FF9E21CCEC6h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push ebx 0x00000018 js 00007FF9E21CCEC6h 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 pop ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127F95E second address: 000000000127F970 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF9E07FDB76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FF9E07FDB76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127F970 second address: 000000000125E016 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c ja 00007FF9E21CCEC6h 0x00000012 popad 0x00000013 pop edi 0x00000014 nop 0x00000015 pushad 0x00000016 add ebx, dword ptr [ebp+122D1B88h] 0x0000001c mov edx, dword ptr [ebp+122D319Ah] 0x00000022 popad 0x00000023 call dword ptr [ebp+12444CCFh] 0x00000029 pushad 0x0000002a push eax 0x0000002b jmp 00007FF9E21CCECBh 0x00000030 pop eax 0x00000031 push edx 0x00000032 push edi 0x00000033 pop edi 0x00000034 pop edx 0x00000035 pushad 0x00000036 push esi 0x00000037 pop esi 0x00000038 push ecx 0x00000039 pop ecx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127FF39 second address: 000000000127FF3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127FF3F second address: 000000000127FF43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127FF43 second address: 000000000127FF72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 15291898h 0x0000000f add edi, dword ptr [ebp+122D346Eh] 0x00000015 jng 00007FF9E07FDB79h 0x0000001b mov dx, ax 0x0000001e call 00007FF9E07FDB79h 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushad 0x00000027 popad 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127FF72 second address: 000000000127FFA4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FF9E21CCEC8h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 jmp 00007FF9E21CCED7h 0x0000001d push esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012800A0 second address: 00000000012800B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF9E07FDB7Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000128012D second address: 0000000001280133 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001280133 second address: 0000000001280149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9E07FDB82h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012802CD second address: 00000000012802D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012804F3 second address: 00000000012804F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012804F8 second address: 00000000012804FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001280BAD second address: 0000000001280C60 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF9E07FDB76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FF9E07FDB7Fh 0x00000010 pop eax 0x00000011 popad 0x00000012 push eax 0x00000013 jmp 00007FF9E07FDB84h 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007FF9E07FDB78h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 mov dword ptr [ebp+1244A7F4h], esi 0x00000039 mov edx, dword ptr [ebp+122D3837h] 0x0000003f sub edi, dword ptr [ebp+122D3188h] 0x00000045 lea eax, dword ptr [ebp+1248366Fh] 0x0000004b push 00000000h 0x0000004d push esi 0x0000004e call 00007FF9E07FDB78h 0x00000053 pop esi 0x00000054 mov dword ptr [esp+04h], esi 0x00000058 add dword ptr [esp+04h], 0000001Dh 0x00000060 inc esi 0x00000061 push esi 0x00000062 ret 0x00000063 pop esi 0x00000064 ret 0x00000065 mov ecx, dword ptr [ebp+1244A4E2h] 0x0000006b mov cx, 2D72h 0x0000006f nop 0x00000070 jmp 00007FF9E07FDB7Ch 0x00000075 push eax 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 jc 00007FF9E07FDB76h 0x0000007f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001280C60 second address: 0000000001280C8C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 sub edx, dword ptr [ebp+12471DABh] 0x0000000e and dh, FFFFFF8Fh 0x00000011 lea eax, dword ptr [ebp+1248362Bh] 0x00000017 mov dword ptr [ebp+1244A938h], esi 0x0000001d sub dword ptr [ebp+1245C83Ah], ecx 0x00000023 nop 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001280C8C second address: 0000000001280C92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001280C92 second address: 0000000001280C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001280C96 second address: 0000000001280C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001280C9A second address: 0000000001280CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jnp 00007FF9E21CCEC6h 0x00000011 jmp 00007FF9E21CCED3h 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012AE240 second address: 00000000012AE256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9E07FDB80h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012AE256 second address: 00000000012AE283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF9E21CCEC6h 0x0000000a popad 0x0000000b pushad 0x0000000c push ecx 0x0000000d jmp 00007FF9E21CCED5h 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007FF9E21CCEC6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012AE854 second address: 00000000012AE85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012AE9ED second address: 00000000012AE9F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B3860 second address: 00000000012B3866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B3866 second address: 00000000012B386C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B386C second address: 00000000012B3871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B3871 second address: 00000000012B3884 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF9E21CCECAh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B3884 second address: 00000000012B388A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B388A second address: 00000000012B3897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B3897 second address: 00000000012B389D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B389D second address: 00000000012B38DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCED2h 0x00000007 js 00007FF9E21CCEC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnl 00007FF9E21CCEE2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B3E3D second address: 00000000012B3E59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF9E07FDB87h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B418D second address: 00000000012B4199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007FF9E21CCEC6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B4199 second address: 00000000012B41A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jbe 00007FF9E07FDB76h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B4473 second address: 00000000012B448C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9E21CCED5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B4773 second address: 00000000012B4778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B4778 second address: 00000000012B477D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B477D second address: 00000000012B479C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF9E07FDB88h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B479C second address: 00000000012B47C0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007FF9E21CCED7h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B47C0 second address: 00000000012B47C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012BB014 second address: 00000000012BB02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF9E21CCEC6h 0x0000000a jc 00007FF9E21CCEC6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012BB02B second address: 00000000012BB052 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FF9E07FDB76h 0x00000011 jnp 00007FF9E07FDB76h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B9956 second address: 00000000012B9978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF9E21CCED0h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f je 00007FF9E21CCEC6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B9AEC second address: 00000000012B9B02 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF9E07FDB76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnc 00007FF9E07FDB76h 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B9B02 second address: 00000000012B9B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FF9E21CCEC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B9B0E second address: 00000000012B9B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B9B12 second address: 00000000012B9B30 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnc 00007FF9E21CCEC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FF9E21CCECEh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B9B30 second address: 00000000012B9B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B9B34 second address: 00000000012B9B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B9C8C second address: 00000000012B9CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF9E07FDB84h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B9CA9 second address: 00000000012B9CAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B9CAF second address: 00000000012B9CD9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF9E07FDB8Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B9CD9 second address: 00000000012B9CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B9CDD second address: 00000000012B9CE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012B9CE1 second address: 00000000012B9CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FF9E21CCED5h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012BA5D7 second address: 00000000012BA61C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF9E07FDB76h 0x0000000a popad 0x0000000b jne 00007FF9E07FDB7Ch 0x00000011 pushad 0x00000012 jmp 00007FF9E07FDB83h 0x00000017 jmp 00007FF9E07FDB88h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012BAA3F second address: 00000000012BAA60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jmp 00007FF9E21CCED3h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012BAA60 second address: 00000000012BAA66 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012C30A5 second address: 00000000012C30B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9E21CCECDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012C6411 second address: 00000000012C6415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012C6415 second address: 00000000012C641B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012C641B second address: 00000000012C6439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF9E07FDB88h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012C6439 second address: 00000000012C6449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FF9E21CCEC6h 0x0000000a jno 00007FF9E21CCEC6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012C5FDA second address: 00000000012C5FDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012CA446 second address: 00000000012CA462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF9E21CCEC6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF9E21CCECFh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012CA462 second address: 00000000012CA47B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB85h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012CA60C second address: 00000000012CA630 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCED6h 0x00000007 jo 00007FF9E21CCEC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012CA630 second address: 00000000012CA634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012CA927 second address: 00000000012CA92B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012CA92B second address: 00000000012CA930 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012CA930 second address: 00000000012CA949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF9E21CCEC6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jc 00007FF9E21CCEC6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012CA949 second address: 00000000012CA980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF9E07FDB76h 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007FF9E07FDB82h 0x00000011 jmp 00007FF9E07FDB80h 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jbe 00007FF9E07FDB76h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012CA980 second address: 00000000012CA984 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012CAAE2 second address: 00000000012CAAE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012CAAE8 second address: 00000000012CAAFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnc 00007FF9E21CCEC6h 0x0000000c jne 00007FF9E21CCEC6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012CAAFA second address: 00000000012CAB02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012CE911 second address: 00000000012CE952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 je 00007FF9E21CCEC6h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FF9E21CCED9h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FF9E21CCED6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012CEAD1 second address: 00000000012CEAF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FF9E07FDB76h 0x00000009 jmp 00007FF9E07FDB81h 0x0000000e pushad 0x0000000f popad 0x00000010 jnl 00007FF9E07FDB76h 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012D3505 second address: 00000000012D3528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FF9E21CCED4h 0x0000000a pop ebx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FF9E21CCEC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012D3B05 second address: 00000000012D3B09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012DBD12 second address: 00000000012DBD19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012DBD19 second address: 00000000012DBD20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012DA073 second address: 00000000012DA078 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012DA078 second address: 00000000012DA091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FF9E07FDB7Dh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012DA091 second address: 00000000012DA0A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 jmp 00007FF9E21CCECDh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012DA309 second address: 00000000012DA315 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF9E07FDB76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012DA315 second address: 00000000012DA32A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF9E21CCECCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012DA631 second address: 00000000012DA67A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB82h 0x00000007 jp 00007FF9E07FDB78h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF9E07FDB81h 0x00000016 jmp 00007FF9E07FDB88h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012DA928 second address: 00000000012DA938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9E21CCECCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012DA938 second address: 00000000012DA93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012DAC28 second address: 00000000012DAC4C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF9E21CCED8h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012DAC4C second address: 00000000012DAC52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012DD328 second address: 00000000012DD33A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FF9E21CCECEh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000123B591 second address: 000000000123B599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E106F second address: 00000000012E107D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF9E21CCEC8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E107D second address: 00000000012E1081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E1221 second address: 00000000012E1225 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E1225 second address: 00000000012E122B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E122B second address: 00000000012E123F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF9E21CCEC8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FF9E21CCEC6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E123F second address: 00000000012E124F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E1639 second address: 00000000012E1657 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FF9E21CCED2h 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E17E9 second address: 00000000012E17F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E17F4 second address: 00000000012E17F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E1940 second address: 00000000012E194D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007FF9E07FDB76h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E194D second address: 00000000012E1951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E1A87 second address: 00000000012E1A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E1A8B second address: 00000000012E1A8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E1C37 second address: 00000000012E1C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E1C3D second address: 00000000012E1C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E1C46 second address: 00000000012E1C4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E1C4C second address: 00000000012E1C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E1C58 second address: 00000000012E1C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E1C5C second address: 00000000012E1C6C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 js 00007FF9E21CCEE2h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E7E29 second address: 00000000012E7E2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012E7E2F second address: 00000000012E7E5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCED5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 jnp 00007FF9E21CCEC8h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012F044C second address: 00000000012F046F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB7Ah 0x00000007 jmp 00007FF9E07FDB80h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop esi 0x0000000f push edx 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012F046F second address: 00000000012F0479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012EE599 second address: 00000000012EE59D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012EE7B9 second address: 00000000012EE7E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF9E21CCED5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jmp 00007FF9E21CCECEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012EEC93 second address: 00000000012EECB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF9E07FDB87h 0x00000008 jns 00007FF9E07FDB76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012EEDFC second address: 00000000012EEE02 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012EF4EF second address: 00000000012EF4F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012EFC5B second address: 00000000012EFC64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012F0316 second address: 00000000012F0325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FF9E07FDB76h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012EE18C second address: 00000000012EE1B1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FF9E21CCECDh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edi 0x0000000b pushad 0x0000000c jmp 00007FF9E21CCECDh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012F4F2F second address: 00000000012F4F34 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000012F7BD0 second address: 00000000012F7C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FF9E21CCECBh 0x0000000d popad 0x0000000e jmp 00007FF9E21CCED1h 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007FF9E21CCED1h 0x0000001a pushad 0x0000001b jmp 00007FF9E21CCECAh 0x00000020 pushad 0x00000021 popad 0x00000022 jmp 00007FF9E21CCED7h 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b pop eax 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000130685B second address: 0000000001306879 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jne 00007FF9E07FDB7Eh 0x0000000d pushad 0x0000000e jne 00007FF9E07FDB76h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001306879 second address: 000000000130687F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001309049 second address: 0000000001309051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001309051 second address: 0000000001309056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000131AA82 second address: 000000000131AA86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001322AE0 second address: 0000000001322AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9E21CCECCh 0x00000009 jno 00007FF9E21CCEC6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001322AF8 second address: 0000000001322B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF9E07FDB81h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF9E07FDB88h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001322B2A second address: 0000000001322B34 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF9E21CCEC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001322B34 second address: 0000000001322B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001322B41 second address: 0000000001322B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001322B45 second address: 0000000001322B64 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF9E07FDB76h 0x00000008 jmp 00007FF9E07FDB81h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001322B64 second address: 0000000001322B70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FF9E21CCEC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001322DD5 second address: 0000000001322DDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001322F57 second address: 0000000001322F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF9E21CCECCh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001322F6A second address: 0000000001322F6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001322F6E second address: 0000000001322F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9E21CCED7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001322F8B second address: 0000000001322FAA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FF9E07FDB87h 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001322FAA second address: 0000000001322FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001322FB0 second address: 0000000001322FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001337802 second address: 0000000001337823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FF9E21CCECEh 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FF9E21CCEC6h 0x00000012 jng 00007FF9E21CCEC6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000133FE84 second address: 000000000133FEB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007FF9E07FDB76h 0x0000000c jbe 00007FF9E07FDB76h 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 js 00007FF9E07FDB76h 0x0000001c pop eax 0x0000001d pushad 0x0000001e jmp 00007FF9E07FDB81h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000134C856 second address: 000000000134C866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9E21CCECCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000013741CE second address: 00000000013741E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jp 00007FF9E07FDB76h 0x00000013 jnp 00007FF9E07FDB76h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000013741E8 second address: 00000000013741FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCECFh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000137314E second address: 0000000001373183 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF9E07FDB78h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop ecx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007FF9E07FDB80h 0x00000018 jmp 00007FF9E07FDB7Bh 0x0000001d jg 00007FF9E07FDB76h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000013732DD second address: 00000000013732E7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF9E21CCEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000013732E7 second address: 00000000013732FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9E07FDB82h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000013732FD second address: 0000000001373301 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000137343A second address: 000000000137344E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 00000000013735F9 second address: 0000000001373615 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCED6h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001373615 second address: 0000000001373629 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB80h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001373A6E second address: 0000000001373A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001373BBF second address: 0000000001373BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001373E91 second address: 0000000001373E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF9E21CCEC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001373E9B second address: 0000000001373EA6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001376EF8 second address: 0000000001376EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000001379A57 second address: 0000000001379A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9E07FDB89h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000137B671 second address: 000000000137B68A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FF9E21CCED1h 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000137B68A second address: 000000000137B690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000137B690 second address: 000000000137B694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000137B694 second address: 000000000137B6D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jo 00007FF9E07FDB9Eh 0x0000000f jmp 00007FF9E07FDB86h 0x00000014 jmp 00007FF9E07FDB82h 0x00000019 ja 00007FF9E07FDB7Eh 0x0000001f push edi 0x00000020 pop edi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000137B210 second address: 000000000137B226 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF9E21CCECEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000137D1A5 second address: 000000000137D1AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000137D1AB second address: 000000000137D1B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000137D1B1 second address: 000000000137D1CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB7Fh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FF9E07FDB76h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D60899 second address: 0000000004D608BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCED9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D608BD second address: 0000000004D608C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D608C1 second address: 0000000004D608C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D608C5 second address: 0000000004D608CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D608CB second address: 0000000004D60905 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCED2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF9E21CCECBh 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF9E21CCED5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D60905 second address: 0000000004D6090B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D301FD second address: 0000000004D3022F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FF9E21CCECCh 0x00000009 pop eax 0x0000000a popad 0x0000000b mov esi, edx 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 call 00007FF9E21CCED6h 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D3022F second address: 0000000004D30234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D30234 second address: 0000000004D30239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA075E second address: 0000000004DA0764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0764 second address: 0000000004DA0768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0768 second address: 0000000004DA0791 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF9E07FDB7Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0791 second address: 0000000004DA07A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCECBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA07A7 second address: 0000000004DA07AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA07AB second address: 0000000004DA07B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA07B1 second address: 0000000004DA0839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF9E07FDB88h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FF9E07FDB87h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FF9E07FDB7Bh 0x0000001c and al, 0000000Eh 0x0000001f jmp 00007FF9E07FDB89h 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007FF9E07FDB80h 0x0000002b xor esi, 4967E788h 0x00000031 jmp 00007FF9E07FDB7Bh 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0839 second address: 0000000004DA083E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D20D5A second address: 0000000004D20E63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF9E07FDB86h 0x00000009 jmp 00007FF9E07FDB85h 0x0000000e popfd 0x0000000f call 00007FF9E07FDB80h 0x00000014 pop ecx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push ecx 0x00000019 pushad 0x0000001a push eax 0x0000001b mov si, bx 0x0000001e pop edx 0x0000001f mov dx, cx 0x00000022 popad 0x00000023 mov dword ptr [esp], ebp 0x00000026 jmp 00007FF9E07FDB7Eh 0x0000002b mov ebp, esp 0x0000002d jmp 00007FF9E07FDB80h 0x00000032 push dword ptr [ebp+04h] 0x00000035 pushad 0x00000036 call 00007FF9E07FDB7Eh 0x0000003b pushfd 0x0000003c jmp 00007FF9E07FDB82h 0x00000041 and ah, 00000028h 0x00000044 jmp 00007FF9E07FDB7Bh 0x00000049 popfd 0x0000004a pop ecx 0x0000004b pushfd 0x0000004c jmp 00007FF9E07FDB89h 0x00000051 adc cx, C546h 0x00000056 jmp 00007FF9E07FDB81h 0x0000005b popfd 0x0000005c popad 0x0000005d push dword ptr [ebp+0Ch] 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 movsx ebx, si 0x00000066 pushfd 0x00000067 jmp 00007FF9E07FDB84h 0x0000006c xor cx, 2518h 0x00000071 jmp 00007FF9E07FDB7Bh 0x00000076 popfd 0x00000077 popad 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D20E63 second address: 0000000004D20E92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCED9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF9E21CCECDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D20E92 second address: 0000000004D20E98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D20E98 second address: 0000000004D20E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D20E9C second address: 0000000004D20EA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D20EB8 second address: 0000000004D20F09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF9E21CCECFh 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FF9E21CCED9h 0x0000000f jmp 00007FF9E21CCECBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF9E21CCED0h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D20F09 second address: 0000000004D20F0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D20F0F second address: 0000000004D20F15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D20F15 second address: 0000000004D20F19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA04BD second address: 0000000004DA04C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA04C3 second address: 0000000004DA04F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop esi 0x0000000f jmp 00007FF9E07FDB87h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA04F0 second address: 0000000004DA0549 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF9E21CCECFh 0x00000008 mov cx, 649Fh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007FF9E21CCED5h 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FF9E21CCECEh 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF9E21CCED7h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0549 second address: 0000000004DA0571 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 1BA0170Ah 0x00000008 push edi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF9E07FDB88h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D70A8A second address: 0000000004D70ADE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF9E21CCED1h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FF9E21CCED3h 0x00000017 sub si, 0F6Eh 0x0000001c jmp 00007FF9E21CCED9h 0x00000021 popfd 0x00000022 movzx eax, di 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D70ADE second address: 0000000004D70AFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF9E07FDB7Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D70AFD second address: 0000000004D70B5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 3BC4h 0x00000007 mov si, di 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f call 00007FF9E21CCED5h 0x00000014 pushfd 0x00000015 jmp 00007FF9E21CCED0h 0x0000001a xor eax, 1615B7A8h 0x00000020 jmp 00007FF9E21CCECBh 0x00000025 popfd 0x00000026 pop eax 0x00000027 mov ax, bx 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d jmp 00007FF9E21CCECBh 0x00000032 pop ebp 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D70B5D second address: 0000000004D70B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D70B61 second address: 0000000004D70B65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D70B65 second address: 0000000004D70B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D70B6B second address: 0000000004D70B88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9E21CCED9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA05B9 second address: 0000000004DA05D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9E07FDB88h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA05D5 second address: 0000000004DA05D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA05D9 second address: 0000000004DA05F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF9E07FDB83h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA05F7 second address: 0000000004DA0636 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCED9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007FF9E21CCECAh 0x00000015 and ax, F8A8h 0x0000001a jmp 00007FF9E21CCECBh 0x0000001f popfd 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0636 second address: 0000000004DA063A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA063A second address: 0000000004DA0669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushfd 0x00000009 jmp 00007FF9E21CCED4h 0x0000000e add ecx, 1DF6EB08h 0x00000014 jmp 00007FF9E21CCECBh 0x00000019 popfd 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0669 second address: 0000000004DA069F instructions: 0x00000000 rdtsc 0x00000002 movzx esi, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov esi, edx 0x0000000d jmp 00007FF9E07FDB7Dh 0x00000012 popad 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 call 00007FF9E07FDB83h 0x0000001c pop ecx 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA069F second address: 0000000004DA06A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA06A5 second address: 0000000004DA06A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0BE9 second address: 0000000004DA0C29 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF9E21CCED0h 0x00000008 sub esi, 21073618h 0x0000000e jmp 00007FF9E21CCECBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF9E21CCED5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0C29 second address: 0000000004DA0C2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0C2F second address: 0000000004DA0C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0C33 second address: 0000000004DA0C80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FF9E07FDB86h 0x00000012 mov eax, dword ptr [ebp+08h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FF9E07FDB87h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0C80 second address: 0000000004DA0CB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCED9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c jmp 00007FF9E21CCECEh 0x00000011 and dword ptr [eax+04h], 00000000h 0x00000015 pushad 0x00000016 movzx eax, di 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0CB9 second address: 0000000004DA0CD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF9E07FDB83h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0CD9 second address: 0000000004DA0CDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0CDF second address: 0000000004DA0CEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9E07FDB7Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D709CE second address: 0000000004D709DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9E21CCECCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D709DE second address: 0000000004D70A03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a mov ax, 0489h 0x0000000e mov ax, 6045h 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 pushad 0x00000017 mov bx, si 0x0000001a mov ebx, ecx 0x0000001c popad 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D70A03 second address: 0000000004D70A09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0EA1 second address: 0000000004DA0EB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9E07FDB7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0EB3 second address: 0000000004DA0ECB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCECBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0ECB second address: 0000000004DA0EE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0EE6 second address: 0000000004DA0F15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF9E21CCECFh 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f mov dx, ax 0x00000012 push eax 0x00000013 mov dx, C0FEh 0x00000017 pop ebx 0x00000018 popad 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov si, dx 0x00000020 mov bx, 65AEh 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0F15 second address: 0000000004DA0F24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9E07FDB7Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0F24 second address: 0000000004DA0F28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D50819 second address: 0000000004D5081F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D5081F second address: 0000000004D50823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D50823 second address: 0000000004D50864 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov dx, cx 0x00000010 mov edx, esi 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007FF9E07FDB7Dh 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d call 00007FF9E07FDB83h 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D50864 second address: 0000000004D50869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D50869 second address: 0000000004D50878 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9E07FDB7Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0C01 second address: 0000000004DB0C39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 590AB49Eh 0x00000008 mov di, 7CAAh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FF9E21CCECCh 0x00000017 jmp 00007FF9E21CCED5h 0x0000001c popfd 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0C39 second address: 0000000004DB0C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0C3D second address: 0000000004DB0C41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0C41 second address: 0000000004DB0C8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebp 0x0000000a jmp 00007FF9E07FDB88h 0x0000000f mov ebp, esp 0x00000011 jmp 00007FF9E07FDB80h 0x00000016 xchg eax, ecx 0x00000017 jmp 00007FF9E07FDB80h 0x0000001c push eax 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 mov cl, dl 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0C8C second address: 0000000004DB0CA0 instructions: 0x00000000 rdtsc 0x00000002 mov dx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ecx, 70FF862Bh 0x0000000c popad 0x0000000d xchg eax, ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0CA0 second address: 0000000004DB0CB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0CB3 second address: 0000000004DB0CCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 51DAh 0x00000007 mov di, B1A6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [76FA65FCh] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0CCC second address: 0000000004DB0CD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0CD2 second address: 0000000004DB0D19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 jmp 00007FF9E21CCED3h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test eax, eax 0x0000000f jmp 00007FF9E21CCED6h 0x00000014 je 00007FFA5433FB27h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF9E21CCECAh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0D19 second address: 0000000004DB0D1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0D1D second address: 0000000004DB0D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0D23 second address: 0000000004DB0D28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0D28 second address: 0000000004DB0D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ch, bl 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0D3B second address: 0000000004DB0D41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0D41 second address: 0000000004DB0D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0D45 second address: 0000000004DB0D8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor eax, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FF9E07FDB83h 0x00000014 adc cx, C4FEh 0x00000019 jmp 00007FF9E07FDB89h 0x0000001e popfd 0x0000001f mov cx, 3D47h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB00C5 second address: 0000000004DB0174 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF9E21CCECFh 0x00000008 pop ecx 0x00000009 mov cl, dh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FF9E21CCED1h 0x00000016 xor eax, 1F888D06h 0x0000001c jmp 00007FF9E21CCED1h 0x00000021 popfd 0x00000022 mov esi, 3D0678B7h 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007FF9E21CCED8h 0x00000030 sbb si, 06D8h 0x00000035 jmp 00007FF9E21CCECBh 0x0000003a popfd 0x0000003b movzx ecx, di 0x0000003e popad 0x0000003f mov ebp, esp 0x00000041 pushad 0x00000042 mov ebx, 124A4AB4h 0x00000047 jmp 00007FF9E21CCECDh 0x0000004c popad 0x0000004d mov eax, dword ptr [ebp+08h] 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FF9E21CCED8h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB0174 second address: 0000000004DB017A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DB017A second address: 0000000004DB018B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9E21CCECDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D7001F second address: 0000000004D70039 instructions: 0x00000000 rdtsc 0x00000002 mov dh, 38h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007FF9E07FDB82h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D70039 second address: 0000000004D7007B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FF9E21CCED3h 0x00000010 xor esi, 5CB0848Eh 0x00000016 jmp 00007FF9E21CCED9h 0x0000001b popfd 0x0000001c mov bx, ax 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D7007B second address: 0000000004D7012E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 4EFD61EEh 0x00000008 mov al, dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f mov ecx, ebx 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 jmp 00007FF9E07FDB85h 0x00000019 and esp, FFFFFFF8h 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FF9E07FDB7Ch 0x00000023 xor esi, 10ED7498h 0x00000029 jmp 00007FF9E07FDB7Bh 0x0000002e popfd 0x0000002f movzx ecx, bx 0x00000032 popad 0x00000033 push edx 0x00000034 jmp 00007FF9E07FDB80h 0x00000039 mov dword ptr [esp], ecx 0x0000003c pushad 0x0000003d mov cx, B80Dh 0x00000041 push ecx 0x00000042 mov di, 323Ch 0x00000046 pop ebx 0x00000047 popad 0x00000048 xchg eax, ebx 0x00000049 jmp 00007FF9E07FDB80h 0x0000004e push eax 0x0000004f pushad 0x00000050 mov ebx, 53F4D304h 0x00000055 mov cx, di 0x00000058 popad 0x00000059 xchg eax, ebx 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d pushfd 0x0000005e jmp 00007FF9E07FDB80h 0x00000063 and al, FFFFFFB8h 0x00000066 jmp 00007FF9E07FDB7Bh 0x0000006b popfd 0x0000006c mov bh, al 0x0000006e popad 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D7012E second address: 0000000004D7014B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCED2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c pushad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D7014B second address: 0000000004D70193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007FF9E07FDB88h 0x0000000b sub ax, A878h 0x00000010 jmp 00007FF9E07FDB7Bh 0x00000015 popfd 0x00000016 popad 0x00000017 xchg eax, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF9E07FDB85h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D70193 second address: 0000000004D701E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF9E21CCECAh 0x00000009 sub ecx, 04F39208h 0x0000000f jmp 00007FF9E21CCECBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 jmp 00007FF9E21CCED9h 0x0000001e xchg eax, esi 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FF9E21CCECDh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D701E0 second address: 0000000004D702E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF9E07FDB87h 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov esi, dword ptr [ebp+08h] 0x00000011 jmp 00007FF9E07FDB85h 0x00000016 xchg eax, edi 0x00000017 jmp 00007FF9E07FDB7Eh 0x0000001c push eax 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FF9E07FDB81h 0x00000024 xor eax, 50405146h 0x0000002a jmp 00007FF9E07FDB81h 0x0000002f popfd 0x00000030 mov ah, D7h 0x00000032 popad 0x00000033 xchg eax, edi 0x00000034 pushad 0x00000035 call 00007FF9E07FDB89h 0x0000003a pushfd 0x0000003b jmp 00007FF9E07FDB80h 0x00000040 sub cl, 00000048h 0x00000043 jmp 00007FF9E07FDB7Bh 0x00000048 popfd 0x00000049 pop eax 0x0000004a mov bx, 028Ch 0x0000004e popad 0x0000004f test esi, esi 0x00000051 jmp 00007FF9E07FDB7Bh 0x00000056 je 00007FFA529ABEE7h 0x0000005c jmp 00007FF9E07FDB86h 0x00000061 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000068 pushad 0x00000069 mov cx, CB6Dh 0x0000006d mov ah, B1h 0x0000006f popad 0x00000070 je 00007FFA529ABED2h 0x00000076 push eax 0x00000077 push edx 0x00000078 jmp 00007FF9E07FDB80h 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D702E7 second address: 0000000004D70359 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCECBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c jmp 00007FF9E21CCED6h 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 jmp 00007FF9E21CCED0h 0x00000019 test edx, 61000000h 0x0000001f jmp 00007FF9E21CCED0h 0x00000024 jne 00007FFA5437B216h 0x0000002a pushad 0x0000002b mov esi, 1313C60Dh 0x00000030 jmp 00007FF9E21CCECAh 0x00000035 popad 0x00000036 test byte ptr [esi+48h], 00000001h 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D70359 second address: 0000000004D7035D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D7035D second address: 0000000004D70363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D70363 second address: 0000000004D703B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FFA529ABEABh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FF9E07FDB86h 0x00000016 sbb ax, A9B8h 0x0000001b jmp 00007FF9E07FDB7Bh 0x00000020 popfd 0x00000021 movzx eax, di 0x00000024 popad 0x00000025 test bl, 00000007h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FF9E07FDB7Eh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D8000E second address: 0000000004D80014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D80014 second address: 0000000004D80018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D80018 second address: 0000000004D8003B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCECDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF9E21CCECDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D8003B second address: 0000000004D8009C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, D9h 0x00000005 jmp 00007FF9E07FDB88h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FF9E07FDB7Bh 0x00000013 xchg eax, ebp 0x00000014 jmp 00007FF9E07FDB86h 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov bl, 36h 0x00000020 jmp 00007FF9E07FDB86h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D8009C second address: 0000000004D80122 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCECBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c jmp 00007FF9E21CCED6h 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 pushad 0x00000014 mov eax, 309AEF33h 0x00000019 pushfd 0x0000001a jmp 00007FF9E21CCED8h 0x0000001f and ax, 4B38h 0x00000024 jmp 00007FF9E21CCECBh 0x00000029 popfd 0x0000002a popad 0x0000002b jmp 00007FF9E21CCED8h 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FF9E21CCECDh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D80122 second address: 0000000004D80128 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D80128 second address: 0000000004D80172 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCECCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushfd 0x00000010 jmp 00007FF9E21CCED3h 0x00000015 xor ax, 3BBEh 0x0000001a jmp 00007FF9E21CCED9h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D80172 second address: 0000000004D80210 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FF9E07FDB7Eh 0x0000000f push eax 0x00000010 jmp 00007FF9E07FDB7Bh 0x00000015 xchg eax, esi 0x00000016 pushad 0x00000017 movzx eax, bx 0x0000001a popad 0x0000001b mov esi, dword ptr [ebp+08h] 0x0000001e jmp 00007FF9E07FDB7Ah 0x00000023 sub ebx, ebx 0x00000025 pushad 0x00000026 push edi 0x00000027 pop eax 0x00000028 push edx 0x00000029 mov eax, 257F7851h 0x0000002e pop ecx 0x0000002f popad 0x00000030 test esi, esi 0x00000032 jmp 00007FF9E07FDB7Dh 0x00000037 je 00007FFA52993D33h 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 pushfd 0x00000041 jmp 00007FF9E07FDB83h 0x00000046 sbb ax, 65EEh 0x0000004b jmp 00007FF9E07FDB89h 0x00000050 popfd 0x00000051 mov dh, ch 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D80210 second address: 0000000004D80296 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF9E21CCED8h 0x00000009 sub al, FFFFFF98h 0x0000000c jmp 00007FF9E21CCECBh 0x00000011 popfd 0x00000012 push esi 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001e jmp 00007FF9E21CCED2h 0x00000023 mov ecx, esi 0x00000025 jmp 00007FF9E21CCED0h 0x0000002a je 00007FFA54362FFEh 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FF9E21CCECEh 0x00000037 sub esi, 6D985D58h 0x0000003d jmp 00007FF9E21CCECBh 0x00000042 popfd 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D80296 second address: 0000000004D802EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 test byte ptr [76FA6968h], 00000002h 0x0000000f pushad 0x00000010 jmp 00007FF9E07FDB83h 0x00000015 popad 0x00000016 jne 00007FFA52993C72h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FF9E07FDB7Bh 0x00000025 and ax, C17Eh 0x0000002a jmp 00007FF9E07FDB89h 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D802EF second address: 0000000004D802F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D802F5 second address: 0000000004D802F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D802F9 second address: 0000000004D802FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D802FD second address: 0000000004D8033C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b jmp 00007FF9E07FDB82h 0x00000010 xchg eax, ebx 0x00000011 jmp 00007FF9E07FDB80h 0x00000016 push eax 0x00000017 jmp 00007FF9E07FDB7Bh 0x0000001c xchg eax, ebx 0x0000001d pushad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D8033C second address: 0000000004D80345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D80345 second address: 0000000004D8039D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov edx, 132A0C80h 0x00000013 pushfd 0x00000014 jmp 00007FF9E07FDB89h 0x00000019 xor cx, 3286h 0x0000001e jmp 00007FF9E07FDB81h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D8039D second address: 0000000004D803A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D803A3 second address: 0000000004D803C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov al, bl 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D8041E second address: 0000000004D80452 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, DEC7h 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d jmp 00007FF9E21CCED8h 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FF9E21CCECAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D80452 second address: 0000000004D80461 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D80461 second address: 0000000004D80467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D80467 second address: 0000000004D8046B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D8046B second address: 0000000004D804A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esp, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FF9E21CCECDh 0x00000011 sub eax, 718B0176h 0x00000017 jmp 00007FF9E21CCED1h 0x0000001c popfd 0x0000001d mov esi, 10987867h 0x00000022 popad 0x00000023 pop ebp 0x00000024 pushad 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DE17B1 second address: 0000000004DE17B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DE17B7 second address: 0000000004DE1811 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FF9E21CCED6h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FF9E21CCECDh 0x00000017 adc ecx, 13362446h 0x0000001d jmp 00007FF9E21CCED1h 0x00000022 popfd 0x00000023 popad 0x00000024 push 0000007Fh 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FF9E21CCECDh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DE1811 second address: 0000000004DE1854 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF9E07FDB7Ch 0x00000012 xor ax, 8B48h 0x00000017 jmp 00007FF9E07FDB7Bh 0x0000001c popfd 0x0000001d movzx eax, dx 0x00000020 popad 0x00000021 push dword ptr [ebp+08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov al, FBh 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DE1854 second address: 0000000004DE185A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DE185A second address: 0000000004DE185E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DE185E second address: 0000000004DE1862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DE1888 second address: 0000000004DE188C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DE188C second address: 0000000004DE1892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DE1892 second address: 0000000004DE1898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DE1898 second address: 0000000004DE189C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DE189C second address: 0000000004DE18A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DE18A0 second address: 0000000004DE17B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 jmp 00007FF9E21CCED2h 0x0000000e retn 0004h 0x00000011 lea eax, dword ptr [ebp-10h] 0x00000014 push eax 0x00000015 call ebx 0x00000017 mov edi, edi 0x00000019 jmp 00007FF9E21CCED0h 0x0000001e xchg eax, ebp 0x0000001f pushad 0x00000020 mov edi, ecx 0x00000022 mov dx, ax 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jmp 00007FF9E21CCED0h 0x0000002f call 00007FF9E21CCED2h 0x00000034 pop ecx 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 000000000127D920 second address: 000000000127D924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DA0915 second address: 0000000004DA091B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D80614 second address: 0000000004D80623 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E07FDB7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D80623 second address: 0000000004D80658 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF9E21CCED5h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f jmp 00007FF9E21CCECEh 0x00000014 pop ebp 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 mov ax, 56A3h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D80658 second address: 0000000004D8065C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004D8065C second address: 0000000004D80665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DF0D02 second address: 0000000004DF0D46 instructions: 0x00000000 rdtsc 0x00000002 mov ax, EB53h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c mov di, B066h 0x00000010 pop edi 0x00000011 mov bl, al 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007FF9E07FDB86h 0x0000001a xchg eax, ebp 0x0000001b jmp 00007FF9E07FDB80h 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DF0D46 second address: 0000000004DF0D4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DF0D4C second address: 0000000004DF0D74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007FF9E07FDB80h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push dword ptr [ebp+0Ch] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov esi, 40C03E29h 0x00000019 movzx eax, di 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DF0D74 second address: 0000000004DF0D9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, ecx 0x00000005 pushfd 0x00000006 jmp 00007FF9E21CCECAh 0x0000000b sub ch, FFFFFFF8h 0x0000000e jmp 00007FF9E21CCECBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push dword ptr [ebp+08h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DF0D9F second address: 0000000004DF0DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DF0DA3 second address: 0000000004DF0DA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DF0DA7 second address: 0000000004DF0DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DF0DAD second address: 0000000004DF0E3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9E21CCECAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007FF9E21CCEC9h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pop ecx 0x00000012 pop edx 0x00000013 mov edi, esi 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007FF9E21CCECBh 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 pushad 0x00000021 mov ebx, 503AA12Ah 0x00000026 pushfd 0x00000027 jmp 00007FF9E21CCECBh 0x0000002c xor esi, 2E7B7DCEh 0x00000032 jmp 00007FF9E21CCED9h 0x00000037 popfd 0x00000038 popad 0x00000039 mov eax, dword ptr [eax] 0x0000003b jmp 00007FF9E21CCED1h 0x00000040 mov dword ptr [esp+04h], eax 0x00000044 pushad 0x00000045 push ebx 0x00000046 jmp 00007FF9E21CCECAh 0x0000004b pop eax 0x0000004c mov al, dl 0x0000004e popad 0x0000004f pop eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DF0E3D second address: 0000000004DF0E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 0000000004DF0E41 second address: 0000000004DF0E45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 00000000010CF9B7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 00000000010CF9E5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 00000000012689B2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 000000000129BAD8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 00000000012F9717 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 0000000000EAF9B7 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 0000000000EAF9E5 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 00000000010489B2 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 000000000107BAD8 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 00000000010D9717 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 0000000000CBF9B7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 0000000000CBF9E5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 0000000000E589B2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 0000000000E8BAD8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 0000000000EE9717 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Special instruction interceptor: First address: 0000000000D0BB45 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Special instruction interceptor: First address: 0000000000EA6008 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Special instruction interceptor: First address: 0000000000EA4F4C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Special instruction interceptor: First address: 0000000000F34E5A instructions caused by: Self-modifying code
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Special instruction interceptor: First address: 00000000006BBB45 instructions caused by: Self-modifying code
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Special instruction interceptor: First address: 0000000000856008 instructions caused by: Self-modifying code
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Special instruction interceptor: First address: 0000000000854F4C instructions caused by: Self-modifying code
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Special instruction interceptor: First address: 00000000008E4E5A instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04D00CD4 rdtsc

0_2_04D00CD4

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 877	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1494	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1190	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1165	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1380	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1154	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1521	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 425
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1069
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1195
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1165
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1149
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1215
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1168
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1197
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Window / User API: threadDelayed 4893

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\niks[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidi24o_MSNyMBSg\3GOT3GAXnZqbKvGYOMGC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\plaza[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiP9l4P_8nrPQO\SCqW_P_cJpDWINh51hrr.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidik9H6Jk7uF4lv\TrXOE37ZBs5VYYL1rLei.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\plaza[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\plaza[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\well[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\N6QvjPQDZQjnaZdnVBvT.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidik9H6Jk7uF4lv\ApPQmeGzxQP3KtH6lKvJ.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidik9H6Jk7uF4lv\2fck4tppkbHBVDQlLEGf.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiP9l4P_8nrPQO\Sc7F78Jv4MgkpAFnc7lD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidi24o_MSNyMBSg\4cPGK95IIhu8co_GIahg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\Oqz1gKr60kpGbxg1Y8oi.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\niks[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidik9H6Jk7uF4lv\Utp0jUqZeU8scbGMpad8.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\d34xW9C7tg9XChbetTr2.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\ladas[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\niks[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidi24o_MSNyMBSg\pZpo0gU01Jxx21DdQmVG.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\well[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\ladas[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ladas[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidi24o_MSNyMBSg\q38g6uHDrjZFvFdWaIY2.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiP9l4P_8nrPQO\3JwuiAeAcxbhUfG4qx6Q.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\MF0uP9gfhtzQk0nmPHvh.exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\well[1].exe	Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiP9l4P_8nrPQO\lraj6KX6dVjpCpYcPfhj.exe	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess

graph_0-72294

Source: C:\Users\user\Desktop\file.exe TID: 2360	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2584	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4984	Thread sleep count: 92 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3528	Thread sleep time: -58029s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4984	Thread sleep count: 77 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2972	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2972	Thread sleep time: -66033s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3716	Thread sleep time: -42021s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5824	Thread sleep time: -52026s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5788	Thread sleep count: 877 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5788	Thread sleep time: -1754877s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3496	Thread sleep count: 1494 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3496	Thread sleep time: -2989494s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7268	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6476	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3172	Thread sleep count: 1190 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3172	Thread sleep time: -2381190s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4284	Thread sleep count: 228 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4284	Thread sleep time: -456228s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6380	Thread sleep count: 1165 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6380	Thread sleep time: -2331165s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2468	Thread sleep count: 1380 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2468	Thread sleep time: -2761380s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4432	Thread sleep count: 1154 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4432	Thread sleep time: -2309154s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3576	Thread sleep count: 1521 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3576	Thread sleep time: -3043521s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7196	Thread sleep count: 425 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7196	Thread sleep time: -850425s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5560	Thread sleep count: 1069 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5560	Thread sleep time: -2139069s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7272	Thread sleep time: -56000s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7184	Thread sleep count: 1195 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7184	Thread sleep time: -2391195s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7172	Thread sleep count: 1165 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7172	Thread sleep time: -2331165s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7188	Thread sleep count: 1149 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7188	Thread sleep time: -2299149s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7180	Thread sleep count: 1215 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7180	Thread sleep time: -2431215s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7176	Thread sleep count: 1168 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7176	Thread sleep time: -2337168s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7192	Thread sleep count: 1197 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7192	Thread sleep time: -2395197s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7508	Thread sleep time: -44022s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7512	Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7700	Thread sleep time: -44000s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7420	Thread sleep count: 42 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7520	Thread sleep time: -46023s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7516	Thread sleep time: -44022s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7528	Thread sleep time: -44022s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7524	Thread sleep time: -42021s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7532	Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7536	Thread sleep time: -36018s >= -30000s
Source: C:\Windows\System32\SIHClient.exe TID: 7768	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe TID: 7812	Thread sleep time: -48930s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9420	Thread sleep count: 104 > 30

Source: C:\Windows\System32\SIHClient.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\SIHClient.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe

Thread sleep count: Count: 4893 delay: -10

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9C050 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,__Mtx_unlock,	0_2_00F9C050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106B4E5 FindFirstFileExW,	0_2_0106B4E5
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00B8C050 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,__Mtx_unlock,	8_2_00B8C050
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00C5B4E5 recv,FindFirstFileExW,	8_2_00C5B4E5

Source: MPGPH131.exe, 00000006.00000003.2085905258.00000000005F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: formVMware20,11696428655
Source: RageMP131.exe, 00000008.00000002.2980143223.000000000050F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,116p
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696H
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
Source: file.exe, 00000000.00000002.2976955927.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2976955927.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2980143223.0000000000538000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000009.00000002.2893638622.0000020573A07000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000009.00000003.2576373237.00000205739B5000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000009.00000002.2893638622.00000205739B5000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000009.00000003.2576373237.0000020573A07000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000009.00000003.2565092652.00000205739B5000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000009.00000003.2185170867.0000020573A07000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RageMP131.exe, 0000001A.00000002.2896368868.0000000001461000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}5
Source: RageMP131.exe, 00000008.00000003.2190955161.0000000000523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000008.00000002.3051142522.0000000005AD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}438029,ijd96734:409016,1c484819:413463,0188i430:410947,74g97287:426089,3cej0868:387697,bi4f4994:450434,j4d0f649:415920,be37a759:398467,9cc60973:411866,downarrowscrollwithtriggernew:379502,nonfloatingwithouttoggle:430356,f7bdg612:421301,d78jg254:440485,60a06606:446395,e8455899:433611,ed254:256435,a5g3j174:427088,domexpansion_v1:408272,sidepanecashbackclickv1:392715,ed429:371711,savingsyesui:360239,0iie5378:378326,j3jdi477:407165,g9744299:382390,0ce12802:395899,ed0317:378541,e5097847:376095,d699f664:417781,v1_newnotificationsettingsu:371743,13gjf650:361709,2chfa640:363442,edse218:361564,i5ceh755:348150,pcproductbyregexenus:345020,2ae48381:440529,i4d2e897:416850,0cdi8526:390116,158hf900:358403,edpas404:384675,followablewebwpo:339322,1ebea465:393468,72dhd990:347218,b5691989:400307,v11_aocgroups2and3:393492,d8ej1711:320853,edtok960:350910,deepeelogging1:296539,etreeapiv15:300838,hjd07315:315108,6fh95461:311640,gserpas:292001,edenh823:312573,i8id9958:449025,923e2685:283690,2fche262:263263,v1_onlineselextraction:330872,externalmidrange3:261503,htmlfragmentcollectionv1:285601,edklo447:358232,designershoreline-215:384841,edweb468:191638,ed672:193569,linkui:417512,ededg840:189491","EdgeConfig":"P-R-1141099-1-3,P-R-1136586-1-6,P-R-1136203-1-4,P-R-1133477-1-4,P-R-1132367-1-7,P-R-1132544-1-6,P-R-1132175-1-3,P-R-1130507-1-5,P-R-1113531-4-9,P-R-1108562-1-7,P-R-1103742-4-6,P-R-1099640-1-4,P-R-1098501-1-7,P-R-1095721-1-7,P-R-1090419-1-5,P-R-1082109-1-6,P-R-1082170-11-25,P-R-1080066-1-13,P-R-1077170-1-3,P-R-1060324-1-5,P-R-1052391-1-8,P-R-1039913-1-16,P-R-1036635-2-5,P-R-110491-23-70,P-R-68474-9-12,P-R-61206-14-17,P-R-61153-10-15,P-R-45373-8-85,P-R-46265-41-100","EdgeDomainActions":"P-R-1093245-1-12,P-R-1037936-1-9,P-R-1024693-1-9,P-R-108604-1-34,P-R-78
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,1169642865
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r global passwords blocklistVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696428655
Source: RageMP131.exe, 00000008.00000002.2980143223.000000000050F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: RageMP131.exe, 0000001A.00000003.2423709938.0000000001461000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: RageMP131.exe, 0000001A.00000002.2896368868.0000000001461000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_diw
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: firefox.exe, 00000029.00000003.2299483431.000001FB805A5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2301349556.000001FB805A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPl_
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CT name, value FROM autofillmain'.sqlite_masterr global passwords blocklistVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ra Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000002.2976955927.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnl
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o.inVMware20,11696428655~
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: MPGPH131.exe, 00000006.00000003.2085905258.00000000005F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}u
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: file.exe, file.exe, 00000000.00000002.2987492068.000000000124D000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.2994677119.0000000000E3D000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001A.00000002.2884459256.0000000000E3D000.00000040.00000001.01000000.00000006.sdmp, MSIUpdaterV131.exe, 00000021.00000002.2978192451.0000000000838000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RageMP131.exe, 0000001A.00000002.2896368868.000000000142B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: file.exe, 00000000.00000002.2976955927.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: RageMP131.exe, 0000001A.00000003.2423709938.0000000001459000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428
Source: MPGPH131.exe, 00000007.00000003.2085856183.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: comVMware20,11696428655o
Source: file.exe, 00000000.00000002.3045108093.0000000005C60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}sion Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENTTNT)(.Ya
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rootpagecomVMware20,11696428655o
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pageformVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
Source: RageMP131.exe, 0000001A.00000003.2423709938.0000000001461000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}4
Source: RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW>
Source: file.exe, 00000000.00000002.2987492068.000000000124D000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, 00000008.00000002.2994677119.0000000000E3D000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001A.00000002.2884459256.0000000000E3D000.00000040.00000001.01000000.00000006.sdmp, MSIUpdaterV131.exe, 00000021.00000002.2978192451.0000000000838000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Thread information set: HideFromDebugger
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04DF02FF Start: 04DF039F End: 04DF0325	0_2_04DF02FF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_04B10A3E Start: 04B10B29 End: 04B10A5A	8_2_04B10A3E
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_04BD0E60 Start: 04BD0EC9 End: 04BD0E74	8_2_04BD0E60

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04D00CD4 rdtsc

0_2_04D00CD4

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA4B00 mov eax, dword ptr fs:[00000030h]		0_2_00FA4B00
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00B94B00 mov eax, dword ptr fs:[00000030h]		8_2_00B94B00

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe "C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe "C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv oDBIuu78qUSLDogbPZYF5w.0.2
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.youtube.com/
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.linkedin.com/login
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.google.com/
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe	Process created: unknown unknown

Source: file.exe, 00000000.00000003.2426464372.0000000006328000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2953181412.0000000005C88000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2992008424.00000000064F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe, file.exe, 00000000.00000002.2987492068.000000000124D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: \Program Manager

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0106CE0B GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_0106CE0B

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 44.2._z8_twA5gL3uyAKSYBl4.exe.ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.MSIUpdaterV131.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.MSIUpdaterV131.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.2976732828.0000000000651000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2482885181.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2883089894.0000000000651000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2481062424.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2976908105.0000000000CA1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.2396808803.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected RisePro Stealer

Source: Yara match	File source: 00000008.00000002.2980143223.000000000059F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2980143223.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\h8ozYGRfpZBL_1uFxRWmLJY.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7VjcYwCMF_u_3bGwi0Uji59.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\NsDq1AXD5Zu7PIsqGltDvI0.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Ci0SBvvC_ABy4cFBW3g7apa.zip, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MPGPH131.exe, 00000007.00000003.2698422754.000000000099F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: file.exe, 00000000.00000003.2108276656.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty Extension
Source: MPGPH131.exe, 00000007.00000003.2698422754.000000000099F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \AppData\Roaming\Exodus\exodus.wallet
Source: MPGPH131.exe, 00000007.00000003.2698422754.000000000099F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \AppData\Roaming\Exodus\exodus.wallet
Source: RageMP131.exe, 00000008.00000002.3051142522.0000000005AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: t\user\AppData\Roaming\Binance\app-store.json

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cookies.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\LocalPrefs.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 00000008.00000002.2980143223.000000000059F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2980143223.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\h8ozYGRfpZBL_1uFxRWmLJY.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7VjcYwCMF_u_3bGwi0Uji59.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\NsDq1AXD5Zu7PIsqGltDvI0.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Ci0SBvvC_ABy4cFBW3g7apa.zip, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Scheduled Task/Job	1 Extra Window Memory Injection	4 Obfuscated Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Scheduled Task/Job	121 Registry Run Keys / Startup Folder	12 Process Injection	12 Software Packing	Security Account Manager	245 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Scheduled Task/Job	1 DLL Side-Loading	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	121 Registry Run Keys / Startup Folder	1 File Deletion	LSA Secrets	751 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Extra Window Memory Injection	Cached Domain Credentials	26 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	26 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe	100%	Joe Sandbox ML
C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	54%	Virustotal		Browse
C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe	60%	Virustotal		Browse
C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe	60%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\fu[1].exe	33%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ladas[1].exe	53%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\niks[1].exe	56%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\well[1].exe	29%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\amert[1].exe	60%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\ladas[1].exe	53%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\niks[1].exe	56%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\plaza[1].exe	55%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\well[1].exe	29%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\ladas[1].exe	53%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\plaza[1].exe	55%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\well[1].exe	29%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amert[1].exe	60%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amert[2].exe	60%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\fu[1].exe	33%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\fu[2].exe	33%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\niks[1].exe	56%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\plaza[1].exe	55%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://www.youtube.com--attempting-deelevation	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://185.215.113.46/cost/ladas.exe(;	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/ladas.exesive.dll	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/ladas.exeidi	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/fu.exeagernt	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/fu.exe	100%	Avira URL Cloud	malware
http://185.215.113.46/mine/amert.exe	100%	Avira URL Cloud	malware
http://185.215.113.46/mine/amert.exe	21%	Virustotal		Browse
http://185.215.113.46/cost/fu.exe	24%	Virustotal		Browse
https://www.bbc.co.uk/	0%	Avira URL Cloud	safe
http://127.0.0.1:	0%	Avira URL Cloud	safe
http://185.215.113.46/cost/ladas.exesive.dll	14%	Virustotal		Browse
https://www.bbc.co.uk/	0%	Virustotal		Browse
https://accounts.google.comC:	0%	Avira URL Cloud	safe
https://www.youtube.comMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:	0%	Avira URL Cloud	safe
http://185.215.113.46/cost/well.exe	100%	Avira URL Cloud	malware
https://www.youtube.comd	0%	Avira URL Cloud	safe
http://185.215.113.46/cost/ladas.exe	100%	Avira URL Cloud	malware
https://www.youtube.comC:	0%	Avira URL Cloud	safe
http://r3.i.lencr.org/0.	0%	Avira URL Cloud	safe
http://185.215.113.46/mine/plaza.exeidizS9SzeRnCJb5Z-4X	100%	Avira URL Cloud	malware
http://185.215.113.46/cost/ladas.exeb	100%	Avira URL Cloud	malware
http://r3.i.lencr.org/0.	0%	Virustotal		Browse
http://185.215.113.46/cost/ladas.exe	20%	Virustotal		Browse
http://185.215.113.46/cost/ladas.exeb	16%	Virustotal		Browse
http://185.215.113.46/cost/well.exe	22%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io:443/widget/demo/191.96.227.222T	RageMP131.exe, 00000008.00000002.2980143223.0000000000538000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.2116611037.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113465149.0000000005C8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124224620.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2200308328.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181499507.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2187770588.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2120275076.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2128210493.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2272359442.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2301947459.0000000005C08000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.avito.ru/	firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.2116611037.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113465149.0000000005C8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124224620.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2200308328.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181499507.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2187770588.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2120275076.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2128210493.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2272359442.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2301947459.0000000005C08000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/widget/demo/191.96.227.222B	RageMP131.exe, 0000001A.00000002.2896368868.000000000142B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000029.00000003.2691872849.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2854768436.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2895883925.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3002271050.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/YouTube	MPGPH131.exe, 00000007.00000003.2614228154.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2616339617.0000000005C2A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.46/mine/amert.exe	file.exe, 00000000.00000002.2976955927.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000097B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2976955927.000000000097B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2980143223.0000000000538000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp	false	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.215.113.46/cost/ladas.exesive.dll	file.exe, 00000000.00000002.3048475504.0000000005D60000.00000004.00000020.00020000.00000000.sdmp	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://spocs.getpocket.com	firefox.exe, 00000029.00000003.2436535853.000001FB92737000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2935452112.000001FB9654D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2861010042.000001FB9654D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://accounts.google.com/	firefox.exe, 00000029.00000003.2895883925.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/ladas.exe(;	file.exe, 00000000.00000002.3048475504.0000000005D60000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://185.215.113.46/cost/ladas.exeidi	RageMP131.exe, 00000008.00000002.2980143223.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://poczta.interia.pl/mh/?mailto=%s	firefox.exe, 00000029.00000003.2362378100.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2363088949.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 00000029.00000003.2854768436.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2691798188.000001FB98DC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3002271050.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2895883925.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.leboncoin.fr/	firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/spocs	firefox.exe, 00000029.00000003.2461036451.000001FB9BEF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/nProtM	RageMP131.exe, 0000001A.00000002.2896368868.000000000142B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	firefox.exe, 00000027.00000002.2303785942.00000226FD9C0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2483237784.000001FB91FC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2901527515.000001FB98D76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2854768436.000001FB98D76000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com	firefox.exe, 00000029.00000003.2560855040.000001FB912E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000029.00000003.2353070103.000001FB8E965000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352450205.000001FB8E924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2353477536.000001FB8E985000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352149654.000001FB8EA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352761725.000001FB8E944000.00000004.00000800.00020000.00000000.sdmp	false		high
https://weibo.com/	firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2464067429.000001FB98DFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 00000029.00000003.2700062119.000001FB98684000.00000004.00000800.00020000.00000000.sdmp	false		high
https://e.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 00000029.00000003.2741108156.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2734590873.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2362378100.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2363088949.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000029.00000003.2703606554.000001FB984F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352761725.000001FB8E944000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com	firefox.exe, 00000029.00000003.2472568638.000001FB9732E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile.services.mozilla.com/	firefox.exe, 00000029.00000003.2475084912.000001FB965FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com--attempting-deelevation	firefox.exe, 00000027.00000002.2303785942.00000226FD9C0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 00000029.00000003.2353070103.000001FB8E965000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352450205.000001FB8E924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352149654.000001FB8EA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352761725.000001FB8E944000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.reddit.com/	firefox.exe, 00000029.00000003.2461036451.000001FB9BEF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.ca/	firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9	firefox.exe, 00000029.00000003.2457073466.000001FB8FCAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2455731909.000001FB8FC82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/fu.exe	file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3046630470.0000000005D2D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2980143223.0000000000538000.00000004.00000020.00020000.00000000.sdmp	false	24%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://addons.mozilla.org/firefox/addon/facebook-container/	firefox.exe, 00000029.00000003.2477590188.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2433245091.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ebay.de/	firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/fu.exeagernt	file.exe, 00000000.00000002.2976955927.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.amazon.com/	firefox.exe, 00000029.00000003.2461036451.000001FB9BEF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 00000029.00000003.2691798188.000001FB98DC0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search?client=firefox-b-d&q=	firefox.exe, 00000029.00000003.2461036451.000001FB9BEF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	file.exe, 00000000.00000002.2980859971.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1999562541.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2065812545.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2066983405.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2991732572.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2168758239.0000000004950000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2878089392.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001A.00000003.2360402306.0000000005230000.00000004.00001000.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.2116611037.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113465149.0000000005C8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124224620.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2200308328.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181499507.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2187770588.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2120275076.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2421390075.0000000005C47000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2128210493.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2272359442.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2301947459.0000000005C08000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORT	RageMP131.exe, 00000008.00000002.2980143223.000000000059F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2980143223.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.000000000142B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1694699#c21	firefox.exe, 00000029.00000003.2809831387.000001FB8AE2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2838114200.000001FB8AE2F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 00000029.00000003.2362378100.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2363088949.000001FB8E6DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/widget/demo/191.96.227.222p	RageMP131.exe, 00000008.00000002.2980143223.000000000051E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.2116611037.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113465149.0000000005C8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124224620.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2200308328.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181499507.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2187770588.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2120275076.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2128210493.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2272359442.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2301947459.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2276330895.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	firefox.exe, 00000029.00000003.2466799961.000001FB98697000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	firefox.exe, 00000029.00000003.2461036451.000001FB9BEF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://allegro.pl/	firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2	firefox.exe, 00000029.00000003.2699380184.000001FB986F6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bbc.co.uk/	firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 00000029.00000003.2477590188.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2433245091.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000029.00000003.2691872849.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2854768436.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2895883925.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3002271050.000001FB98DAD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:	firefox.exe, 00000029.00000003.2475084912.000001FB9652B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2484170838.000001FB91F0A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1607439	firefox.exe, 00000029.00000003.2700062119.000001FB98684000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	SIHClient.exe, 00000009.00000003.2187881101.0000020574385000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000009.00000002.2900308468.0000020574380000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000009.00000003.2185652439.0000020574385000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.io/	RageMP131.exe, 00000008.00000002.2980143223.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.000000000147E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.000000000142B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORThoS	RageMP131.exe, 00000008.00000002.2980143223.000000000059F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.adsafeprotected.com/firefox-etp-pixel	firefox.exe, 00000029.00000003.2854768436.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3002271050.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2895883925.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 00000029.00000003.2691798188.000001FB98DC0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 00000029.00000003.2854768436.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3002271050.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2895883925.000001FB98DBE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://detectportal.firefox.com/canonical.html	firefox.exe, 00000029.00000003.2477590188.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com/	firefox.exe, 00000029.00000003.2560855040.000001FB912E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 00000029.00000003.2466799961.000001FB98697000.00000004.00000800.00020000.00000000.sdmp	false		high
https://img-getpocket.cdn.mozilla.net/X	firefox.exe, 00000029.00000003.2475084912.000001FB965CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2861010042.000001FB965CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2930019942.000001FB965CD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://accounts.google.comC:	firefox.exe, 00000026.00000002.2336728837.000002C2A6C50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io:443/widget/demo/191.96.227.222	file.exe, 00000000.00000002.2976955927.00000000008BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/	firefox.exe, 00000029.00000003.2461036451.000001FB9BEF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.comMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:	firefox.exe, 00000029.00000003.2301349556.000001FB805D5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2299483431.000001FB805D5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.google.com/	firefox.exe, 00000029.00000003.2475084912.000001FB965CD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/well.exe	RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp	false	22%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.iqiyi.com/	firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202	firefox.exe, 00000029.00000003.2702286694.000001FB98645000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/ladas.exe	RageMP131.exe, 0000001A.00000002.2896368868.000000000147E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2896368868.0000000001496000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 00000029.00000003.2700062119.000001FB98684000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/?extsrc=mailto&url=%s	firefox.exe, 00000029.00000003.2741108156.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2734590873.000001FB8E577000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io:443/widget/demo/191.96.227.222EHkN)	RageMP131.exe, 0000001A.00000002.2896368868.000000000142B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/wikipedia-context-menu-search/	firefox.exe, 00000029.00000003.2477590188.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2433245091.000001FB927F3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.comd	firefox.exe, 00000023.00000002.2300285719.0000022AC2BC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.youtube.comC:	firefox.exe, 00000023.00000002.2300285719.0000022AC2BC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.2116611037.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113465149.0000000005C8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124224620.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2200308328.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181499507.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2187770588.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2120275076.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2404581198.0000000005C53000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2128210493.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2272359442.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2301947459.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2276330895.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.duckduckgo.com/ac/	firefox.exe, 00000029.00000003.2353070103.000001FB8E965000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352450205.000001FB8E924000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2353477536.000001FB8E985000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352149654.000001FB8EA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352761725.000001FB8E944000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/	firefox.exe, 00000029.00000003.2477590188.000001FB92754000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2935452112.000001FB96558000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2352761725.000001FB8E944000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000029.00000003.2847640406.000001FB93284000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2407004515.000001FB966B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2407473308.000001FB966B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2765495710.000001FB8EC7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2809831387.000001FB8AE2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2449113424.000001FB98582000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2634765865.000001FB8EA58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2868107380.000001FB985F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2713037412.000001FB8EAA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2755126218.000001FB8EB33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2732544717.000001FB985F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3012126900.000001FB986E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2735455297.000001FB8EA59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2902867703.000001FB986E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2514495452.000001FB91E08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2737019437.000001FB8EAA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2887497625.000001FB8EAA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2807551644.000001FB8EC7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2568960989.000001FB8EAB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2862972274.000001FB966F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2360064713.000001FB8EC7E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	firefox.exe, 00000029.00000003.2472568638.000001FB9732E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com	firefox.exe, 00000029.00000003.3002271050.000001FB98D9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2472568638.000001FB9734E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3024799346.000001FB9734B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings	firefox.exe, 00000029.00000003.2723175944.000001FB8EBDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2608964060.000001FB8EBDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	firefox.exe, 00000029.00000003.2472568638.000001FB9732E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r3.i.lencr.org/0.	firefox.exe, 00000029.00000003.2512787341.000001FB91E84000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ifeng.com/	firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/mine/plaza.exeidizS9SzeRnCJb5Z-4X	file.exe, 00000000.00000002.3048475504.0000000005D60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://t.me/risepro_botY0	file.exe, 00000000.00000002.2976955927.000000000091C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2389626209.000000000091C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.zhihu.com/	firefox.exe, 00000029.00000003.2464067429.000001FB98DFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/	firefox.exe, 00000029.00000003.2560855040.000001FB912CF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.46/cost/ladas.exeb	file.exe, 00000000.00000002.2976955927.000000000097B000.00000004.00000020.00020000.00000000.sdmp	false	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://accounts.google.com	firefox.exe, 00000026.00000002.2336728837.000002C2A6C50000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2862162587.000001FB964EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2938825525.000001FB964EB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.2116611037.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113465149.0000000005C8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124224620.0000000005D2C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2200308328.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181499507.0000000005D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2187770588.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2120275076.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2404581198.0000000005C53000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2451025348.0000000005C51000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2128210493.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2272359442.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2301947459.0000000005C08000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2276330895.00000000005C6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/captive-portal	firefox.exe, 00000029.00000003.2860186459.000001FB9739A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.3020159159.000001FB9739A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2859579934.000001FB98645000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2706123123.000001FB9739B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2702286694.000001FB98645000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2921343886.000001FB9739A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 00000029.00000003.2861010042.000001FB9656C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2475084912.000001FB9655F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000029.00000003.2930019942.000001FB9656C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r3.o.lencr.org0	firefox.exe, 00000029.00000003.2512787341.000001FB91E84000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.6.158	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.200	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.246.40	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.80.110	unknown	United States	15169	GOOGLEUS	false
142.250.65.161	unknown	United States	15169	GOOGLEUS	false
185.215.113.46	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
172.253.63.84	unknown	United States	15169	GOOGLEUS	false
142.251.40.206	unknown	United States	15169	GOOGLEUS	false
74.125.152.106	unknown	United States	15169	GOOGLEUS	false
157.240.241.35	unknown	United States	32934	FACEBOOKUS	false
34.117.237.239	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.251.40.132	unknown	United States	15169	GOOGLEUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.65.238	unknown	United States	15169	GOOGLEUS	false
142.250.80.3	unknown	United States	15169	GOOGLEUS	false
142.251.40.174	unknown	United States	15169	GOOGLEUS	false
13.107.213.40	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.217.131.134	unknown	United States	15169	GOOGLEUS	false
157.240.241.1	unknown	United States	32934	FACEBOOKUS	false
204.79.197.239	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.43.243.155	unknown	United States	16625	AKAMAI-ASUS	false
13.225.63.40	unknown	United States	16509	AMAZON-02US	false
34.120.208.123	unknown	United States	15169	GOOGLEUS	false
142.250.65.234	unknown	United States	15169	GOOGLEUS	false
142.250.80.106	unknown	United States	15169	GOOGLEUS	false
142.250.80.35	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
142.250.72.106	unknown	United States	15169	GOOGLEUS	false
13.107.21.239	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.80.74	unknown	United States	15169	GOOGLEUS	false
144.2.9.1	unknown	Netherlands	14413	LINKEDINUS	false
13.107.42.16	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.42.14	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
152.199.24.163	unknown	United States	15133	EDGECASTUS	false
142.250.65.206	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
31.13.71.7	unknown	Ireland	32934	FACEBOOKUS	false
184.26.41.160	unknown	United States	16625	AKAMAI-ASUS	false
142.250.72.98	unknown	United States	15169	GOOGLEUS	false
34.160.144.191	unknown	United States	2686	ATGS-MMD-ASUS	false
172.217.165.142	unknown	United States	15169	GOOGLEUS	false
142.250.72.110	unknown	United States	15169	GOOGLEUS	false
142.251.32.118	unknown	United States	15169	GOOGLEUS	false
44.240.103.52	unknown	United States	16509	AMAZON-02US	false
142.251.163.84	unknown	United States	15169	GOOGLEUS	false
72.21.81.240	unknown	United States	15133	EDGECASTUS	false
34.117.186.192	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
23.96.180.189	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
152.195.19.97	unknown	United States	15133	EDGECASTUS	false
142.251.32.99	unknown	United States	15169	GOOGLEUS	false
142.250.176.206	unknown	United States	15169	GOOGLEUS	false
142.251.40.228	unknown	United States	15169	GOOGLEUS	false
162.159.36.2	unknown	United States	13335	CLOUDFLARENETUS	false
44.227.167.82	unknown	United States	16509	AMAZON-02US	false
142.250.80.86	unknown	United States	15169	GOOGLEUS	false
142.250.80.42	unknown	United States	15169	GOOGLEUS	false
142.250.64.78	unknown	United States	15169	GOOGLEUS	false
142.251.40.230	unknown	United States	15169	GOOGLEUS	false
142.251.41.14	unknown	United States	15169	GOOGLEUS	false
34.117.188.166	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.251.41.10	unknown	United States	15169	GOOGLEUS	false
142.251.16.84	unknown	United States	15169	GOOGLEUS	false
142.251.84.105	unknown	United States	15169	GOOGLEUS	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
74.125.3.138	unknown	United States	15169	GOOGLEUS	false
142.250.176.196	unknown	United States	15169	GOOGLEUS	false
142.250.65.196	unknown	United States	15169	GOOGLEUS	false
40.68.123.157	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.65.195	unknown	United States	15169	GOOGLEUS	false
34.149.100.209	unknown	United States	2686	ATGS-MMD-ASUS	false
23.58.127.112	unknown	United States	577	BACOMCA	false
34.107.243.93	unknown	United States	15169	GOOGLEUS	false
193.233.132.62	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
142.250.80.54	unknown	United States	15169	GOOGLEUS	false
34.107.221.82	unknown	United States	15169	GOOGLEUS	false
152.199.5.152	unknown	United States	15133	EDGECASTUS	false
35.244.181.201	unknown	United States	15169	GOOGLEUS	false
142.250.81.234	unknown	United States	15169	GOOGLEUS	false
74.125.172.41	unknown	United States	15169	GOOGLEUS	false
142.250.65.227	unknown	United States	15169	GOOGLEUS	false
142.251.40.162	unknown	United States	15169	GOOGLEUS	false
142.251.40.163	unknown	United States	15169	GOOGLEUS	false
173.194.140.7	unknown	United States	15169	GOOGLEUS	false
142.250.176.195	unknown	United States	15169	GOOGLEUS	false
142.250.65.225	unknown	United States	15169	GOOGLEUS	false
142.250.31.84	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1395796
Start date and time:	2024-02-21 02:38:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	55
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@211/936@0/88
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
02:38:56	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
02:38:56	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
02:38:56	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
02:39:05	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
02:39:10	API Interceptor	1x Sleep call for process: SIHClient.exe modified
02:39:16	Task Scheduler	Run new task: MSIUpdaterV131 HR path: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
02:39:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV131 C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe
02:39:20	Task Scheduler	Run new task: MSIUpdaterV131 LG path: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
02:39:23	API Interceptor	226x Sleep call for process: file.exe modified
02:39:28	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk
02:39:32	Task Scheduler	Run new task: explorgu path: C:\Users\user\AppData\Local\Temp\00c07260dc\explorgu.exe
02:39:39	API Interceptor	222x Sleep call for process: RageMP131.exe modified
02:39:42	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV131 C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe
02:39:47	API Interceptor	671985x Sleep call for process: MPGPH131.exe modified
02:40:38	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.6.158	TO92l1miUY	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.8991.31115.exe	Get hash	malicious	RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.8388.27993.exe	Get hash	malicious	RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.24838.26198.exe	Get hash	malicious	RisePro Stealer	Browse
	j5M1YkNve1.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.105649.13827.32664.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.105649.30549.11143.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.105649.15764.2812.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.105649.26510.19959.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
204.79.197.200	kr.ps1	Get hash	malicious	Unknown	Browse	/
13.107.246.40	OFFICIISWO.xlsx	Get hash	malicious	Unknown	Browse
	https://hello-world-floral-credit-99e3.leknotutri.workers.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://805b4559c4b0eb39086f57ea7cd2565b23052cd656c8e214457cb4256a.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	file.html	Get hash	malicious	HTMLPhisher	Browse
	https://m33h876fkad.larksuite.com/wiki/MhqXwPA1ciHmvfk380uuwXn6s8c?from=from_copylink	Get hash	malicious	HTMLPhisher	Browse
	https://fromsmash.com/sfQaHEZ2sE-bt	Get hash	malicious	HTMLPhisher	Browse
	https://ncv.microsoft.com/ARBpjoGswC	Get hash	malicious	HTMLPhisher	Browse
	https://app.archbee.com/doc/bjiMt0tkV8GsQKr5jRHuN/kx-1lPI0O6BiIwENxl_SO	Get hash	malicious	HTMLPhisher	Browse
	https://office-site1.web.app/outlook.office365.com	Get hash	malicious	HTMLPhisher	Browse
	FW_.msg	Get hash	malicious	HTMLPhisher	Browse
185.215.113.46	SecuriteInfo.com.Win32.TrojanX-gen.26275.30792.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46/cost/ladas.exe
	SecuriteInfo.com.Win32.TrojanX-gen.26263.12275.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46/cost/fu.exe
	SecuriteInfo.com.Win32.TrojanX-gen.20833.6180.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46/cost/ladas.exe
	fB3vD2jWQm.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46/cost/niks.exe
	file.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46/cost/ladas.exe
	5ws86kuyyj.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46/cost/well.exe
	SecuriteInfo.com.Trojan.Siggen26.6766.4021.25295.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46/cost/well.exe
	SecuriteInfo.com.Trojan.Siggen26.6766.21437.6924.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46/cost/well.exe
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	185.215.113.46/cost/well.exe
	1cfxwHmB63.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine, RisePro Stealer, Xmrig	Browse	185.215.113.46/cost/fu.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	https://ir.shareaholic.com/e?a=1&u=https://imt.foundation/rgrandQ3El-Qsrg-ll8Kv-d58Kvo-y5%3Futm_campaign%3Dshareaholic%26utm_medium%3Dtwitter%26utm_source%3Dsocialnetwork&r=1	Get hash	malicious	HTMLPhisher	Browse	34.117.33.233
	https://cpa-ftk.pages.dev/robots.txt	Get hash	malicious	HTMLPhisher	Browse	34.117.239.71
	https://m33h876fkad.larksuite.com/wiki/MhqXwPA1ciHmvfk380uuwXn6s8c?from=from_copylink	Get hash	malicious	HTMLPhisher	Browse	34.117.97.41
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192
	BinMS.msi	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	34.117.186.192
	https://view.storydoc.com/bwCfpdRo	Get hash	malicious	Unknown	Browse	34.117.110.147
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192
MICROSOFT-CORP-MSN-AS-BLOCKUS	OFFICIISWO.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.40
	https://pocloudcentral.crm.powerobjects.net/PowerEmailWebsite//GetUrl2013.aspx?t=TEka9Gzp+UWz6rVgaDAhSUMAUgBNAA==&eId=03e02621-4ddf-eb11-8150-00155d010e03&pval=//fwdptwl%E3%80%82com/#SPSRwA5J3Bh8iBqWlcnM??kypxg44fhlrkaixdobr=Z29vZ2xlLmNvbQ==/..=%5BUNIQID%5D&u=276b8dda4ef94158348d5b6b8&id=6b7205781d	Get hash	malicious	Unknown	Browse	23.99.128.52
	https://cpa-ftk.pages.dev/robots.txt	Get hash	malicious	HTMLPhisher	Browse	40.76.134.238
	https://hello-world-floral-credit-99e3.leknotutri.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.40
	https://805b4559c4b0eb39086f57ea7cd2565b23052cd656c8e214457cb4256a.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	MCYq2AqNU0.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	52.101.73.15
	https://pocloudcentral.crm.powerobjects.net/PowerEmailWebsite//GetUrl2013.aspx?t=TEka9Gzp+UWz6rVgaDAhSUMAUgBNAA==&eId=03e02621-4ddf-eb11-8150-00155d010e03&pval=//physicstutor%E3%80%82co.za/cgi/6WIE/jeremy@gundersencu.org/jeremy@gundersencu.org&u=276b8dda4ef94158348d5b6b8&id=6b7205781d	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.99.128.52
	https://pocloudcentral.crm.powerobjects.net/PowerEmailWebsite//GetUrl2013.aspx?t=TEka9Gzp+UWz6rVgaDAhSUMAUgBNAA==&eId=03e02621-4ddf-eb11-8150-00155d010e03&pval=//physicstutor%E3%80%82co.za/cgi/6WIE/jeremy@gundersencu.org/jeremy@gundersencu.org&u=276b8dda4ef94158348d5b6b8&id=6b7205781d	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.99.128.52
	file.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	https://m33h876fkad.larksuite.com/wiki/MhqXwPA1ciHmvfk380uuwXn6s8c?from=from_copylink	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
MICROSOFT-CORP-MSN-AS-BLOCKUS	OFFICIISWO.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.40
	https://pocloudcentral.crm.powerobjects.net/PowerEmailWebsite//GetUrl2013.aspx?t=TEka9Gzp+UWz6rVgaDAhSUMAUgBNAA==&eId=03e02621-4ddf-eb11-8150-00155d010e03&pval=//fwdptwl%E3%80%82com/#SPSRwA5J3Bh8iBqWlcnM??kypxg44fhlrkaixdobr=Z29vZ2xlLmNvbQ==/..=%5BUNIQID%5D&u=276b8dda4ef94158348d5b6b8&id=6b7205781d	Get hash	malicious	Unknown	Browse	23.99.128.52
	https://cpa-ftk.pages.dev/robots.txt	Get hash	malicious	HTMLPhisher	Browse	40.76.134.238
	https://hello-world-floral-credit-99e3.leknotutri.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.40
	https://805b4559c4b0eb39086f57ea7cd2565b23052cd656c8e214457cb4256a.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	MCYq2AqNU0.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	52.101.73.15
	https://pocloudcentral.crm.powerobjects.net/PowerEmailWebsite//GetUrl2013.aspx?t=TEka9Gzp+UWz6rVgaDAhSUMAUgBNAA==&eId=03e02621-4ddf-eb11-8150-00155d010e03&pval=//physicstutor%E3%80%82co.za/cgi/6WIE/jeremy@gundersencu.org/jeremy@gundersencu.org&u=276b8dda4ef94158348d5b6b8&id=6b7205781d	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.99.128.52
	https://pocloudcentral.crm.powerobjects.net/PowerEmailWebsite//GetUrl2013.aspx?t=TEka9Gzp+UWz6rVgaDAhSUMAUgBNAA==&eId=03e02621-4ddf-eb11-8150-00155d010e03&pval=//physicstutor%E3%80%82co.za/cgi/6WIE/jeremy@gundersencu.org/jeremy@gundersencu.org&u=276b8dda4ef94158348d5b6b8&id=6b7205781d	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.99.128.52
	file.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	https://m33h876fkad.larksuite.com/wiki/MhqXwPA1ciHmvfk380uuwXn6s8c?from=from_copylink	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
WHOLESALECONNECTIONSNL	SecuriteInfo.com.Win32.TrojanX-gen.304.20057.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46
	SecuriteInfo.com.Win32.TrojanX-gen.8991.31115.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46
	SecuriteInfo.com.Win32.PWSX-gen.18507.10357.exe	Get hash	malicious	Amadey, RedLine, Remcos, RisePro Stealer	Browse	185.215.113.32
	SecuriteInfo.com.Win32.TrojanX-gen.8388.27993.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46
	SecuriteInfo.com.Trojan.Siggen21.19151.20597.8736.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66
	SecuriteInfo.com.Win32.TrojanX-gen.24838.26198.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46
	SecuriteInfo.com.Win32.TrojanX-gen.26275.30792.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46
	SecuriteInfo.com.Win32.TrojanX-gen.26263.12275.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46
	SecuriteInfo.com.Win32.TrojanX-gen.20833.6180.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46
	j5M1YkNve1.exe	Get hash	malicious	RisePro Stealer	Browse	185.215.113.46
MICROSOFT-CORP-MSN-AS-BLOCKUS	OFFICIISWO.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.40
	https://pocloudcentral.crm.powerobjects.net/PowerEmailWebsite//GetUrl2013.aspx?t=TEka9Gzp+UWz6rVgaDAhSUMAUgBNAA==&eId=03e02621-4ddf-eb11-8150-00155d010e03&pval=//fwdptwl%E3%80%82com/#SPSRwA5J3Bh8iBqWlcnM??kypxg44fhlrkaixdobr=Z29vZ2xlLmNvbQ==/..=%5BUNIQID%5D&u=276b8dda4ef94158348d5b6b8&id=6b7205781d	Get hash	malicious	Unknown	Browse	23.99.128.52
	https://cpa-ftk.pages.dev/robots.txt	Get hash	malicious	HTMLPhisher	Browse	40.76.134.238
	https://hello-world-floral-credit-99e3.leknotutri.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.40
	https://805b4559c4b0eb39086f57ea7cd2565b23052cd656c8e214457cb4256a.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	MCYq2AqNU0.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	52.101.73.15
	https://pocloudcentral.crm.powerobjects.net/PowerEmailWebsite//GetUrl2013.aspx?t=TEka9Gzp+UWz6rVgaDAhSUMAUgBNAA==&eId=03e02621-4ddf-eb11-8150-00155d010e03&pval=//physicstutor%E3%80%82co.za/cgi/6WIE/jeremy@gundersencu.org/jeremy@gundersencu.org&u=276b8dda4ef94158348d5b6b8&id=6b7205781d	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.99.128.52
	https://pocloudcentral.crm.powerobjects.net/PowerEmailWebsite//GetUrl2013.aspx?t=TEka9Gzp+UWz6rVgaDAhSUMAUgBNAA==&eId=03e02621-4ddf-eb11-8150-00155d010e03&pval=//physicstutor%E3%80%82co.za/cgi/6WIE/jeremy@gundersencu.org/jeremy@gundersencu.org&u=276b8dda4ef94158348d5b6b8&id=6b7205781d	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.99.128.52
	file.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	https://m33h876fkad.larksuite.com/wiki/MhqXwPA1ciHmvfk380uuwXn6s8c?from=from_copylink	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2332672
Entropy (8bit):	7.9618356942587125
Encrypted:	false
SSDEEP:	49152:eHex9yDOkBt8Oi0WWY6KtnHvjQ2SUueEMpZ0Q7zax8UFQdhoOIEgXlLv:egbkB18jQ2fueEA0Q7zait3IEmv
MD5:	9565A774CCE1318D00AAD201D54179AD
SHA1:	9369239B7C872D3CC46E55178EEDA3CC6652E2E3
SHA-256:	9911129661BCE9C536C1232B12B2AA19501D9DFAE099C146D25308C7BB6839AC
SHA-512:	4EBE7B64B0EE4EBDD1EF355D3B0B5F4CFF22C83AC47E1FE317634CE3D8BA99494C5FA2790D541797C3DC52F4A71230361DC80BC2DFB4675F7F1196D89F1B0E3A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 54%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......C.........L.....L.....L.....H.G...H.....H.....H...R.L.....L.....L...............E.....-........Rich..................PE..L...N@.e...............".....L........Y...........@...........................Z.....U]$...@.................................T...h....p..h1.......................................................................................................... . .`..........................@....rsrc...h1...p......................@....idata ............................@... ..+.........................@...nlyzwaah.`...p?..V..................@...lkbejoib......Y......r#.............@....taggant.0....Y.."...v#.............@...........................................................................................................................................................................................

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7395
Entropy (8bit):	5.162151244347729
Encrypted:	false
SSDEEP:	192:QKMiICIsI3cbhbVbTbfbRbObtbyEl7nKJA6wnSrDtTZd/Sc:QPhB73cNhnzFSJ5jnSrDhZd/t
MD5:	1E611F7EB57BEAED740F828777110F51
SHA1:	5DD0553BD3D82EFE4DF0438BBE637221176A561A
SHA-256:	AE3B3FB9727C4F2F0954049270998F9DC689BC72C8DE6DDBA6D920738860574E
SHA-512:	95B471F85F84B6D7DF028F95D8ACFA9BE6941CE6F89DA0C8BA7F87D99ACC58C72BB0F91F54CF7DF00774F9F80B7DEF061A318001E835FAFCCAB969ACF40401A1
Malicious:	false
Preview:	{"type":"uninstall","id":"3d60c72b-b348-42fe-88bd-76fb62640eb2","creationDate":"2024-02-21T02:47:34.674Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	4770
Entropy (8bit):	7.946747821604857
Encrypted:	false
SSDEEP:	96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
MD5:	1BFE591A4FE3D91B03CDF26EAACD8F89
SHA1:	719C37C320F518AC168C86723724891950911CEA
SHA-256:	9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
SHA-512:	02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
Malicious:	false
Preview:	MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.)......Y@...(..).R."E..D^6........u....\|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O...R..........D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;\|.h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.z..2.Py...A..s...z..@...4..........4.....Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._\|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	19833
Entropy (8bit):	5.796986829626578
Encrypted:	false
SSDEEP:	384:j8Ni7nKzQ1Ux/M/9hamJfk6vP6Oq3IkwmdKd99F6GRQ9CbMoqRuX8B1sYQu:j92PZKhDO6vP6Oq3IkxITF6GSCAos
MD5:	37D02BA38B34B7D7AFDB35EA359F458C
SHA1:	616D965685E42E2AE9A462E4ED7038AF2B9945A1
SHA-256:	A839D5F640888FF27D5186212B828B705FAC99F2B7D6A3C5917BBCFC233D82F4
SHA-512:	0CA30AA4BE502555893D509C32DE38F598FF94C136BB290D425917F33F68437B4D7343304C995B67D82420DB102F6CB86696350B78E30BB753E1C0AFC5E4E249
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"desktop_session_duration_tracker":{"last_session_end_timestamp":"1708479582"},"domain_actions_config":"H4sIAAAAAAAAAAMAAAAAAAAAAAA=","dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"edge_ci":{"metrics_bookmark":"\u0

Process:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2363904
Entropy (8bit):	7.962536812435418
Encrypted:	false
SSDEEP:	49152:zO/TJOsOiwul5jDwrMdS9hwLsV70KS+MWUPQjCxa:zEwS5j8raRLsW3zsC8
MD5:	89C788DA1AF63946AA34AB15828E4BDC
SHA1:	0B1113A1B6946990805559C15E5EE5C1771F73B2
SHA-256:	A20F20FF15142CEF0B6AF5824830F31352148C61142899EDFE920737A208DF9C
SHA-512:	5F949CF415AEFAD92CDA3148A03F74FD6AA5C3EBF194B4EF16283BBF153E7381E0AA189D5E21E0EBDA12EF24711618E0A80D2D3CE263B80D9D578BDEA35D171B
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 53%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.........L.....L.....L.....H.G...H.....H.....H...R.L.....L.....L...............E.....-........Rich..........PE..L......e...............".....V........Z...........@.......................... [.......%...@.................................W...k....`...C.......................................................................................................... . .P..........................@....rsrc....C...`......................@....idata ............................@... .@,.........................@...jsijvwkm......@.....................@...qxzfqftw......Z.......#.............@....taggant.0....Z.."....#.............@...................................................................................................................................................................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Feb 21 00:39:16 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.978957853737454
Encrypted:	false
SSDEEP:	48:8BdZTFLRKHgidAKZdA19ehwiZUklqehRy+3:8l51F+y
MD5:	E25C1F97B83F87C6C24A94EC55DB275B
SHA1:	FDDA3990D138C4863283F530C18D99E2BF9E7E8F
SHA-256:	9FD17FAF6B140C733A0419F1A93B03D58700899D5F6D756EBFC68B1CE3044F54
SHA-512:	1D7B25D2D25AD00122020E4836D334F1ED83BDAC2BDDBC116EFC45270FB8B31E19B7F003E6D9B25EB731EAA59BB48C5359B16F13864681BC206A337AF9C38468
Malicious:	false
Preview:	L..................F.@.. ...$+.,....Zt..fd..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IUX......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VUX......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VUX......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VUX............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VUX.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........X........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Process:	C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\_z8_twA5gL3uyAKSYBl4.exe
File Type:	data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	3.4276940314341426
Encrypted:	false
SSDEEP:	6:h5bygvXUG5ZsUEZ+lX1yrlbtFXqYEp5t/uy0lVlMct0:hMuYQ1yrBfXVPdt0
MD5:	D67DAEB3ECEB867B99307C2A564FF2EC
SHA1:	1080D2A364BA5DC8EBD8BA37ED161D6C983DBB1D
SHA-256:	B50C55E992DA9B13F36ABD3F52F7C9199F8C668616666586404B1B147D56439C
SHA-512:	F47597DA41C50E7D46CE3FA8E2AE6FBAE89222C79FF1C1121E3E8CF97A3184108BE8A3D87FF8E7C6A42C90CADECC52975ED60E38AF64C0A01336580663A708CF
Malicious:	false
Preview:	.....f...~5G..v$LE.sF.......<... .....s.......... ....................;.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.0.0.c.0.7.2.6.0.d.c.\.e.x.p.l.o.r.g.u...e.x.e.........A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0.................(.@3P.........................

Entrypoint:	0x99e000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65D4404E [Tue Feb 20 06:01:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13b054	0x68	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x137000	0x3168	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13b1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x136000	0x8f000	62914a828fb6a104d2b7b6f54d549be7	False	0.9994673295454546	data	7.989426793160249	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x137000	0x3168	0x1800	b252d115e99482aff7b7b4e94c67732f	False	0.9195963541666666	data	7.615100777099426	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x13b000	0x1000	0x200	1e17ac6f9d72045027c75c82e74ad637	False	0.14453125	data	0.9942709484982628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x13c000	0x2bb000	0x200	f4690146d9e49afa29e7cc9fe67ad116	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
nlyzwaah	0x3f7000	0x1a6000	0x1a5600	0a1364b12a3f3a49ce085ba590286368	False	0.9910513154479383	data	7.9524435905525435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
lkbejoib	0x59d000	0x1000	0x400	b66a513fb0727538e43cdd503c0a7070	False	0.7783203125	data	6.073919583711129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x59e000	0x3000	0x2200	f8662ce161b0af42eb643c8ec116f242	False	0.05480238970588235	DOS executable (COM)	0.6516153450010875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5996d4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	Russian	Russia	0.3333333333333333
RT_ICON	0x5999bc	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	Russian	Russia	0.5777027027027027
RT_ICON	0x599ae4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Russian	Russia	0.4165162454873646
RT_ICON	0x59a38c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Russian	Russia	0.42991329479768786
RT_ICON	0x59a8f4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Russian	Russia	0.5159474671669794
RT_ICON	0x59b99c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Russian	Russia	0.6338652482269503
RT_GROUP_ICON	0x59be04	0x5a	data	Russian	Russia	0.7111111111111111
RT_VERSION	0x59be5e	0x33c	data	Russian	Russia	0.44806763285024154
RT_MANIFEST	0x59c19a	0x2e6	XML 1.0 document, ASCII text, with CRLF line terminators			0.45417789757412397
RT_MANIFEST	0x59c480	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Target ID:	0
Start time:	02:38:50
Start date:	21/02/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xf90000
File size:	2'332'672 bytes
MD5 hash:	9565A774CCE1318D00AAD201D54179AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	02:38:54
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0xf50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	02:39:08
Start date:	21/02/2024
Path:	C:\Windows\System32\SIHClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sihclient.exe /cv oDBIuu78qUSLDogbPZYF5w.0.2
Imagebase:	0x7ff6c9ac0000
File size:	380'720 bytes
MD5 hash:	8BE47315BF30475EEECE8E39599E9273
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	10
Start time:	02:39:11
Start date:	21/02/2024
Path:	C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\heidizS9SzeRnCJb5\1zSWTheo8gASwgtmbVnB.exe"
Imagebase:	0x6e0000
File size:	918'016 bytes
MD5 hash:	1E1CA4D43582C075F0CFF2992A8E6FEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	11
Start time:	02:39:12
Start date:	21/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.youtube.com/
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	16
Start time:	02:39:13
Start date:	21/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.google.com/
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	18
Start time:	02:39:14
Start date:	21/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=2020,i,9349519310739507833,11996823178141009930,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	21
Start time:	02:39:15
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0xf50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	37
Start time:	02:39:18
Start date:	21/02/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	39
Start time:	02:39:19
Start date:	21/02/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_3d60c72b-b348-42fe-88bd-76fb62640eb2.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_3d60c72b-b348-42fe-88bd-76fb62640eb2.json.tmp

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\14099e71-eb43-4451-92c5-826a147d8ec8.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\24467836-8913-44df-bf91-9bc6bf79b0a8.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\246721a6-5301-4a8a-b4f8-81c0d1d32cd9.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\27dbf597-f864-496b-af55-34381c7312fa.tmp

Windows Analysis Report
file.exe

Target ID:	42
Start time:	02:39:22
Start date:	21/02/2024
Path:	C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
Imagebase:	0x650000
File size:	1'889'792 bytes
MD5 hash:	F2DFD8B4E7B7BE57BB23484FC9D14430
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002A.00000002.2883089894.0000000000651000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002A.00000003.2481062424.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	47
Start time:	02:39:25
Start date:	21/02/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	13.6%
Dynamic/Decrypted Code Coverage:	5.9%
Signature Coverage:	70.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	145

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre