Windows Analysis Report
LisectAVT_2403002A_473.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_473.exe
Analysis ID:	1482220
MD5:	f256345478d00e975e7c0987fa05f63e
SHA1:	005b5c18852675ced842632957199d6d47128ade
SHA256:	3d72496f46a130331bc6e35d4211c7a9d6c31770affba0f99ebbe6abf6cd42d2
Tags:	AsyncRATexe
Infos:

Detection

Njrat, XWorm

Score:	90
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected MSILDownloaderGeneric

Yara detected Njrat

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Drops PE files to the user root directory

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Opens the same file many times (likely Sandbox evasion)

Performs DNS queries to domains with low reputation

Sample uses string decryption to hide its real strings

Sigma detected: Suspicious File Creation In Uncommon AppData Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Explorer Process Tree Break

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Use Short Name Path in Command Line

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_473.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Avira: detection malicious, Label: BDS/Bladabindi.ajoqj
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Avira: detection malicious, Label: HEUR/AGEN.1305769

Found malware configuration

Source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Njrat {"Host": "server.exe", "Port": "h2cker.ddns.net", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "UserProfile", "Install Dir": "xdefg"}
Source: 00000004.00000002.1293177261.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["h2cker.ddns.net"], "Port": "0194", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara detected Njrat

Source: Yara match	File source: LisectAVT_2403002A_473.exe, type: SAMPLE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3774758497.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_473.exe PID: 5604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LocalM_d_cKXRrV.exe PID: 4932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\server.exe, type: DROPPED

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LisectAVT_2403002A_473.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack	String decryptor: h2cker.ddns.net
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack	String decryptor: 0194
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack	String decryptor: <123456789>
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack	String decryptor: <Xwormmm>
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack	String decryptor: USB.exe

Uses 32bit PE files

Source: LisectAVT_2403002A_473.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright (c) 2020-2024 maximmax42Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.---Upon the first launch of the app you will be asked permission to send analytics data to the developer. You can still use the app without any restriction if you don't consent.CustomRP collects this non-personal information during the usage of the app:- OS Version- OS Language- Device Model (laptop or motherboard)- Country based on OS settings (does not use geolocation)- App VersionAs well as these user interactions:- Connection status to Discord- Connection errors (wrong ID etc)- Connection failure (Discord isn't running etc)- Updated presence: - Does it have party? - What timestamp type is used? - Does it have a big image set? - Does it have a small image set? - How many buttons are set?- New version was ignored: - Which version?- Saved a preset- Loaded a preset- Clicked on a supporter/translator menu item: - Name of the supporter/translator - URL of the supporter/translator- Opened "Pipe select" window- Opened "About" windowCrash reports send your settings (except ID) to help understand the cause of the crash.This information is collected to understand how the application is used improve features and catch unexpected crashes as soon as they appear. The information is stored in the Microsoft App Center for 28 days and is not shared with any third parties.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright (c) 2020-2024 maximmax42Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.---Upon the first launch of the app you will be asked permission to send analytics data to the developer. You can still use the app without any restriction if you don't consent.CustomRP collects this non-personal information during the usage of the app:- OS Version- OS Language- Device Model (laptop or motherboard)- Country based on OS settings (does not use geolocation)- App VersionAs well as these user interactions:- Connection status to Discord- Connection errors (wrong ID etc)- Connection failure (Discord isn't running etc)- Updated presence: - Does it have party? - What timestamp type is used? - Does it have a big image set? - Does it have a small image set? - How many buttons are set?- New version was ignored: - Which version?- Saved a preset- Loaded a preset- Clicked on a supporter/translator menu item: - Name of the supporter/translator - URL of the supporter/translator- Opened "Pipe select" window- Opened "About" windowCrash reports send your settings (except ID) to help understand the cause of the crash.This information is collected to understand how the application is used improve features and catch unexpected crashes as soon as they appear. The information is stored in the Microsoft App Center for 28 days and is not shared with any third parties.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright (c) 2020-2024 maximmax42Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.---Upon the first launch of the app you will be asked permission to send analytics data to the developer. You can still use the app without any restriction if you don't consent.CustomRP collects this non-personal information during the usage of the app:- OS Version- OS Language- Device Model (laptop or motherboard)- Country based on OS settings (does not use geolocation)- App VersionAs well as these user interactions:- Connection status to Discord- Connection errors (wrong ID etc)- Connection failure (Discord isn't running etc)- Updated presence: - Does it have party? - What timestamp type is used? - Does it have a big image set? - Does it have a small image set? - How many buttons are set?- New version was ignored: - Which version?- Saved a preset- Loaded a preset- Clicked on a supporter/translator menu item: - Name of the supporter/translator - URL of the supporter/translator- Opened "Pipe select" window- Opened "About" windowCrash reports send your settings (except ID) to help understand the cause of the crash.This information is collected to understand how the application is used improve features and catch unexpected crashes as soon as they appear. The information is stored in the Microsoft App Center for 28 days and is not shared with any third parties.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright (c) 2020-2024 maximmax42Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.---Upon the first launch of the app you will be asked permission to send analytics data to the developer. You can still use the app without any restriction if you don't consent.CustomRP collects this non-personal information during the usage of the app:- OS Version- OS Language- Device Model (laptop or motherboard)- Country based on OS settings (does not use geolocation)- App VersionAs well as these user interactions:- Connection status to Discord- Connection errors (wrong ID etc)- Connection failure (Discord isn't running etc)- Updated presence: - Does it have party? - What timestamp type is used? - Does it have a big image set? - Does it have a small image set? - How many buttons are set?- New version was ignored: - Which version?- Saved a preset- Loaded a preset- Clicked on a supporter/translator menu item: - Name of the supporter/translator - URL of the supporter/translator- Opened "Pipe select" window- Opened "About" windowCrash reports send your settings (except ID) to help understand the cause of the crash.This information is collected to understand how the application is used improve features and catch unexpected crashes as soon as they appear. The information is stored in the Microsoft App Center for 28 days and is not shared with any third parties.I &accept the agreementI &do not accept the agreement&NextCancel

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B1949CF-3AC6-43B8-95BF-5517797E2CEA}_is1

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.5:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.7:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.7:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.5:443 -> 192.168.2.7:49808 version: TLS 1.2

Source: LisectAVT_2403002A_473.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Microsoft.AppCenter.Crashes.WindowsDesktop\Release\net472\Microsoft.AppCenter.Crashes.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 00000023.00000002.1870099006.00000000055F2000.00000002.00000001.01000000.00000012.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\customrp\CustomRPC\obj\Release\CustomRP.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: is-L16CA.tmp.39.dr
Source:	Binary string: c:\Users\Sentinel\Desktop\HTMLRenderer\HTML-Renderer\Source\HtmlRenderer.WinForms\obj\Release\HtmlRenderer.WinForms.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2038683267.000000000CE22000.00000002.00000001.01000000.00000024.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.1999866525.00000000060A2000.00000002.00000001.01000000.00000017.sdmp, is-FETK3.tmp.39.dr
Source:	Binary string: c:\Users\Sentinel\Desktop\HTMLRenderer\HTML-Renderer\Source\HtmlRenderer\obj\Release\HtmlRenderer.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2039306519.000000000CE92000.00000002.00000001.01000000.00000025.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-8ECJB.tmp.39.dr
Source:	Binary string: /_/Src/Newtonsoft.Json.Bson/obj/Release/net45/Newtonsoft.Json.Bson.pdbSHA256Z source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2002226777.00000000063B2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256I source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1999866525.00000000060A2000.00000002.00000001.01000000.00000017.sdmp, is-FETK3.tmp.39.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.1999487049.0000000005A42000.00000002.00000001.01000000.00000016.sdmp, is-90JQC.tmp.14.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2000036377.00000000060C2000.00000002.00000001.01000000.00000015.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2001708037.0000000006342000.00000002.00000001.01000000.00000018.sdmp, is-7ECM7.tmp.39.dr, is-CMKDC.tmp.14.dr
Source:	Binary string: D:\a\cb\cb\cb\bld\bin\e_sqlite3\win\v142\plain\x86\e_sqlite3.pdb source: CustomRP.exe, 0000001A.00000002.2046982098.000000006A8BA000.00000002.00000001.01000000.0000001A.sdmp, CustomRP.exe, 0000002A.00000002.3865639119.000000006A58B000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\Projects\Visual Studio\discord-rpc-csharp\DiscordRPC\obj\Release\net45\DiscordRPC.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2008788803.0000000009AC2000.00000002.00000001.01000000.0000001C.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Octokit.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2011935141.0000000009C32000.00000002.00000001.01000000.0000001D.sdmp, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\_work\1\Tooling\obj\Release\System.Net.Http.Formatting\System.Net.Http.Formatting.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, is-OARCU.tmp.14.dr
Source:	Binary string: c:\Users\Sentinel\Desktop\HTMLRenderer\HTML-Renderer\Source\HtmlRenderer.WinForms\obj\Release\HtmlRenderer.WinForms.pdb, source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2038683267.000000000CE22000.00000002.00000001.01000000.00000024.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json.Bson/obj/Release/net45/Newtonsoft.Json.Bson.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdbSHA256R source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1999487049.0000000005A42000.00000002.00000001.01000000.00000016.sdmp, is-90JQC.tmp.14.dr
Source:	Binary string: E:\OneDrive\Programming\CommonMark\CommonMark\obj\v4.5\Release\CommonMark.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.0000000005700000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2033794203.000000000BEF2000.00000002.00000001.01000000.00000023.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.0000000005824000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Microsoft.AppCenter.WindowsDesktop\Release\net472\Microsoft.AppCenter.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 00000023.00000002.1872050699.0000000005A02000.00000002.00000001.01000000.00000013.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\Visual Studio\discord-rpc-csharp\DiscordRPC\obj\Release\net45\DiscordRPC.pdbSHA256^ source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2008788803.0000000009AC2000.00000002.00000001.01000000.0000001C.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2001708037.0000000006342000.00000002.00000001.01000000.00000018.sdmp, is-7ECM7.tmp.39.dr, is-CMKDC.tmp.14.dr
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, is-LTL2H.tmp.14.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Microsoft.AppCenter.Analytics.WindowsDesktop\Release\net472\Microsoft.AppCenter.Analytics.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 00000023.00000002.1870476118.0000000005662000.00000002.00000001.01000000.00000014.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-313PG.tmp.14.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Numerics.Vectors/net46\System.Numerics.Vectors.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Microsoft.AppCenter.Analytics.WindowsDesktop\Release\net472\Microsoft.AppCenter.Analytics.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 00000023.00000002.1870476118.0000000005662000.00000002.00000001.01000000.00000014.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-313PG.tmp.14.dr
Source:	Binary string: Octokit.pdb source: CustomRP.exe, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2000036377.00000000060C2000.00000002.00000001.01000000.00000015.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Microsoft.AppCenter.Crashes.WindowsDesktop\Release\net472\Microsoft.AppCenter.Crashes.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 00000023.00000002.1870099006.00000000055F2000.00000002.00000001.01000000.00000012.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: -C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: is-L16CA.tmp.39.dr
Source:	Binary string: C:\projects\customrp\CustomRPC\obj\Release\CustomRP.pdb< source: CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Microsoft.AppCenter.WindowsDesktop\Release\net472\Microsoft.AppCenter.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 00000023.00000002.1872050699.0000000005A02000.00000002.00000001.01000000.00000013.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp

May infect USB drives

Source: LisectAVT_2403002A_473.exe, 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: LisectAVT_2403002A_473.exe, 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: LisectAVT_2403002A_473.exe, 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: LisectAVT_2403002A_473.exe, 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: LocalM_d_cKXRrV.exe, 00000003.00000002.1338451388.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: LocalM_d_cKXRrV.exe, 00000003.00000002.1338451388.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: LocalM_d_cKXRrV.exe, 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: autorun.inf
Source: LocalM_d_cKXRrV.exe, 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: [autorun]
Source: server.exe, 00000010.00000002.3774758497.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: server.exe, 00000010.00000002.3774758497.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: LisectAVT_2403002A_473.exe	Binary or memory string: autorun.inf
Source: LisectAVT_2403002A_473.exe	Binary or memory string: [autorun]

Source: chrome.exe

Memory has grown: Private usage: 0MB later: 38MB

Networking

Yara detected MSILDownloaderGeneric

Source: Yara match

File source: Process Memory Space: CustomRP.exe PID: 8140, type: MEMORYSTR

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: h2cker.ddns.net

Performs DNS queries to domains with low reputation

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	DNS query: docs.customrp.xyz
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	DNS query: docs.customrp.xyz
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	DNS query: docs.customrp.xyz
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	DNS query: docs.customrp.xyz

Uses dynamic DNS services

Source: unknown

DNS query: name: h2cker.ddns.net

Yara detected Generic Downloader

Source: Yara match	File source: LisectAVT_2403002A_473.exe, type: SAMPLE
Source: Yara match	File source: 8.0.Local_wGRdnhmmy.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.CustomRP.exe.ce90000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.CustomRP.1.17.26.tmp.594b3d4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.CustomRP.1.17.26.tmp.595fbd4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LocalylmNBbjoFA.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.LocalwCRkvqzBqW.tmp.585edd4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.LocalwCRkvqzBqW.tmp.584a5d4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: CustomRP.exe PID: 8140, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\CustomRP\is-8ECJB.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\CustomRP\is-VUD2Q.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local_wGRdnhmmy.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\LocalylmNBbjoFA.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /maximmax42/Discord-CustomRP/releases/download/1.17.26/CustomRP.1.17.26.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/158286982/4e44c323-1ab5-4a78-8eac-2af3792e6492?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240725%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240725T174543Z&X-Amz-Expires=300&X-Amz-Signature=2b8c79c3814c9ddb3cea189dda427c0b109df098f19b5b63fe34e9d54974f545&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=158286982&response-content-disposition=attachment%3B%20filename%3DCustomRP.1.17.26.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gpRo43W+uZKaMDS&MD=X2XeBryM HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /repos/maximmax42/Discord-CustomRP/releases HTTP/1.1Accept: application/vnd.github.v3User-Agent: CustomRP (Win32NT 10.0.19045; amd64; en-CH; Octokit.net 9.1.2+e87aa64973860122e2c2ba6aa6634f8961c4cc99)Host: api.github.comAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /repositories/158286982/releases?page=2 HTTP/1.1Accept: application/vnd.github.v3User-Agent: CustomRP (Win32NT 10.0.19045; amd64; en-CH; Octokit.net 9.1.2+e87aa64973860122e2c2ba6aa6634f8961c4cc99)Host: api.github.comAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /repositories/158286982/releases?page=3 HTTP/1.1Accept: application/vnd.github.v3User-Agent: CustomRP (Win32NT 10.0.19045; amd64; en-CH; Octokit.net 9.1.2+e87aa64973860122e2c2ba6aa6634f8961c4cc99)Host: api.github.comAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /setting-up HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/css/74e2fcdb16cfacd8.css HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/css/b9d4de855d30ec1d.css HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/css/9788c0e64943a60e.css HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/css/7a9c2d78b5e93503.css HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/css/3fe48cabb38955f2.css HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2F3448418481-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fcollections%252Fb7ivX6BQQxRccY1orTyN%252Ficon%252FnkaA7BNDEwNuDrY1Bu5Z%252Flogo.png%3Falt%3Dmedia%26token%3D8a0a99e6-b7f7-4e7b-9a7d-ec4200fc5dbe&width=32&dpr=1&quality=100&sign=bb6256&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /repositories/158286982/releases?page=4 HTTP/1.1Accept: application/vnd.github.v3User-Agent: CustomRP (Win32NT 10.0.19045; amd64; en-CH; Octokit.net 9.1.2+e87aa64973860122e2c2ba6aa6634f8961c4cc99)Host: api.github.comAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fgithub.com%2Fmaximmax42%2FCustomRP-Docs%2Fassets%2F2225711%2Fa1b8cb1e-7f88-4061-b297-2691523718a5&width=768&dpr=1&quality=100&sign=1352a698&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/webpack-57a2c0165c63471b.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/1dd3208c-be983e9332503385.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/9297-f3eccea4ea14abf3.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/main-app-1db0f0cc75a347a1.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/media/c9a5bc6a7c948fb0-s.woff2 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://docs.customrp.xyzsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://docs.customrp.xyz/_next/static/css/74e2fcdb16cfacd8.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/media/79ec87d3cdff1fa5-s.woff2 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://docs.customrp.xyzsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://docs.customrp.xyz/_next/static/css/74e2fcdb16cfacd8.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/media/3478b6abef19b3b3-s.woff2 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://docs.customrp.xyzsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://docs.customrp.xyz/_next/static/css/74e2fcdb16cfacd8.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/global-error-fb32fca0ade143dc.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/b5d5b83b-50e242a0019abc1b.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gpRo43W+uZKaMDS&MD=X2XeBryM HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/8041-39d7cacda46bd1fd.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/9658-f6b5423552e90c65.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/layout-4f711d9c51dccb47.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/error-0586e6623f4790f0.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/339-d1fe13e12cfd6d9a.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2F3448418481-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fcollections%252Fb7ivX6BQQxRccY1orTyN%252Ficon%252FnkaA7BNDEwNuDrY1Bu5Z%252Flogo.png%3Falt%3Dmedia%26token%3D8a0a99e6-b7f7-4e7b-9a7d-ec4200fc5dbe&width=32&dpr=1&quality=100&sign=bb6256&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/main-app-1db0f0cc75a347a1.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/8390-95889667ae2a0528.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/5810-30abd17002efe9e2.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/webpack-57a2c0165c63471b.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fgithub.com%2Fmaximmax42%2FCustomRP-Docs%2Fassets%2F2225711%2Fa1b8cb1e-7f88-4061-b297-2691523718a5&width=768&dpr=1&quality=100&sign=1352a698&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/9297-f3eccea4ea14abf3.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/1dd3208c-be983e9332503385.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/132-510ddc716fcc679e.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/(content)/layout-e9465a8d877efffb.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/(content)/%5B%5B...pathname%5D%5D/loading-dce89470a41df777.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/global-error-fb32fca0ade143dc.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/b5d5b83b-50e242a0019abc1b.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/9658-f6b5423552e90c65.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/7235-f53aca4aaa75d87a.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/3692-21fb69fe908f900d.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/9894-269c203cc6669c21.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/64-3b527308c4d47fe5.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/8041-39d7cacda46bd1fd.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/(content)/%5B%5B...pathname%5D%5D/page-ec571d2756d4b9b5.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/layout-4f711d9c51dccb47.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/error-0586e6623f4790f0.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/8390-95889667ae2a0528.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/132-510ddc716fcc679e.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /?_rsc=11g49 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22(space)%22%2C%7B%22children%22%3A%5B%22(content)%22%2C%7B%22children%22%3A%5B%5B%22pathname%22%2C%22setting-up%22%2C%22oc%22%5D%2C%7B%22children%22%3A%5B%22__PAGE__%3F%7B%5C%22pathname%5C%22%3A%5B%5C%22setting-up%5C%22%5D%7D%22%2C%7B%7D%5D%7D%5D%7D%5D%7D%2Cnull%2Cnull%2Ctrue%5D%7D%5DNext-Router-Prefetch: 1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Next-Url: /setting-upRSC: 1sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /maximmax42/Discord-CustomRP/releases/download/1.17.26/CustomRP.1.17.26.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /setting-up?_rsc=11g49 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22(space)%22%2C%7B%22children%22%3A%5B%22(content)%22%2C%7B%22children%22%3A%5B%5B%22pathname%22%2C%22setting-up%22%2C%22oc%22%5D%2C%7B%22children%22%3A%5B%22__PAGE__%3F%7B%5C%22pathname%5C%22%3A%5B%5C%22setting-up%5C%22%5D%7D%22%2C%7B%7D%5D%7D%5D%7D%5D%7D%2Cnull%2Cnull%2Ctrue%5D%7D%5DNext-Router-Prefetch: 1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Next-Url: /setting-upRSC: 1sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /faq?_rsc=11g49 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22(space)%22%2C%7B%22children%22%3A%5B%22(content)%22%2C%7B%22children%22%3A%5B%5B%22pathname%22%2C%22setting-up%22%2C%22oc%22%5D%2C%7B%22children%22%3A%5B%22__PAGE__%3F%7B%5C%22pathname%5C%22%3A%5B%5C%22setting-up%5C%22%5D%7D%22%2C%7B%7D%5D%7D%5D%7D%5D%7D%2Cnull%2Cnull%2Ctrue%5D%7D%5DNext-Router-Prefetch: 1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Next-Url: /setting-upRSC: 1sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/339-d1fe13e12cfd6d9a.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050202-c796103d-6712-401e-be96-3f3712512375.png&width=768&dpr=1&quality=100&sign=1d31e0c1&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/(content)/layout-e9465a8d877efffb.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/5810-30abd17002efe9e2.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050341-8169af53-5d3f-44d6-b745-cc711e8d1476.png&width=768&dpr=1&quality=100&sign=eff0ff8&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fgithub.com%2Fmaximmax42%2FCustomRP-Docs%2Fassets%2F2225711%2Fa1b8cb1e-7f88-4061-b297-2691523718a5&width=768&dpr=4&quality=100&sign=1352a698&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/(content)/%5B%5B...pathname%5D%5D/loading-dce89470a41df777.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/7235-f53aca4aaa75d87a.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /__session?proposed=c7fb3030-4991-43e6-a825-1b67f742be0cR HTTP/1.1Host: app.gitbook.comConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: https://docs.customrp.xyzSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/3692-21fb69fe908f900d.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/158286982/4e44c323-1ab5-4a78-8eac-2af3792e6492?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240725%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240725T174543Z&X-Amz-Expires=300&X-Amz-Signature=2b8c79c3814c9ddb3cea189dda427c0b109df098f19b5b63fe34e9d54974f545&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=158286982&response-content-disposition=attachment%3B%20filename%3DCustomRP.1.17.26.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050202-c796103d-6712-401e-be96-3f3712512375.png&width=768&dpr=4&quality=100&sign=1d31e0c1&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050341-8169af53-5d3f-44d6-b745-cc711e8d1476.png&width=768&dpr=4&quality=100&sign=eff0ff8&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/9894-269c203cc6669c21.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/64-3b527308c4d47fe5.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/(content)/%5B%5B...pathname%5D%5D/page-ec571d2756d4b9b5.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~/files/v0/b/gitbook-x-prod.appspot.com/o/collections%2Fb7ivX6BQQxRccY1orTyN%2Ficon%2FnkaA7BNDEwNuDrY1Bu5Z%2Flogo.png?alt=media&token=8a0a99e6-b7f7-4e7b-9a7d-ec4200fc5dbe HTTP/1.1Host: 3448418481-files.gitbook.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /setting-up?_rsc=11g49 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050202-c796103d-6712-401e-be96-3f3712512375.png&width=768&dpr=1&quality=100&sign=1d31e0c1&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /faq?_rsc=11g49 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /__session?proposed=c7fb3030-4991-43e6-a825-1b67f742be0cR HTTP/1.1Host: app.gitbook.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __session=c7fb3030-4991-43e6-a825-1b67f742be0cR
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050341-8169af53-5d3f-44d6-b745-cc711e8d1476.png&width=768&dpr=1&quality=100&sign=eff0ff8&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /?_rsc=11g49 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fgithub.com%2Fmaximmax42%2FCustomRP-Docs%2Fassets%2F2225711%2Fa1b8cb1e-7f88-4061-b297-2691523718a5&width=768&dpr=4&quality=100&sign=1352a698&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~/files/v0/b/gitbook-x-prod.appspot.com/o/collections%2Fb7ivX6BQQxRccY1orTyN%2Ficon%2FnkaA7BNDEwNuDrY1Bu5Z%2Flogo.png?alt=media&token=8a0a99e6-b7f7-4e7b-9a7d-ec4200fc5dbe HTTP/1.1Host: 3448418481-files.gitbook.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050202-c796103d-6712-401e-be96-3f3712512375.png&width=768&dpr=4&quality=100&sign=1d31e0c1&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050341-8169af53-5d3f-44d6-b745-cc711e8d1476.png&width=768&dpr=4&quality=100&sign=eff0ff8&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /repos/maximmax42/Discord-CustomRP/releases HTTP/1.1Accept: application/vnd.github.v3User-Agent: CustomRP (Win32NT 10.0.19045; amd64; en-CH; Octokit.net 11.0.1+4ca8f1cd2c7ab01143e5266ea44aaba39bfae85d)Host: api.github.comAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /repositories/158286982/releases?page=2 HTTP/1.1Accept: application/vnd.github.v3User-Agent: CustomRP (Win32NT 10.0.19045; amd64; en-CH; Octokit.net 11.0.1+4ca8f1cd2c7ab01143e5266ea44aaba39bfae85d)Host: api.github.comAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /repositories/158286982/releases?page=3 HTTP/1.1Accept: application/vnd.github.v3User-Agent: CustomRP (Win32NT 10.0.19045; amd64; en-CH; Octokit.net 11.0.1+4ca8f1cd2c7ab01143e5266ea44aaba39bfae85d)Host: api.github.comAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /repositories/158286982/releases?page=4 HTTP/1.1Accept: application/vnd.github.v3User-Agent: CustomRP (Win32NT 10.0.19045; amd64; en-CH; Octokit.net 11.0.1+4ca8f1cd2c7ab01143e5266ea44aaba39bfae85d)Host: api.github.comAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <a href="https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw">like button</a>), Thai, Turkish (new translator, Murat_Efendi) and Ukrainian (new translator, Illia).</p> equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: * By the way, hello to all of the [No Text To Speech](https://www.youtube.com/channel/UCxaaULLk6UCnRl5VKRc7G0A) subscribers and viewers! equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: * Updated Arabic, Estonian, Finnish, Filipino (new translator, [_missingo](https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A)), Romanian, Slovenian (new translator, [like button](https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw)), Thai, Turk equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: * Updated Arabic, Estonian, Finnish, Filipino (new translator, [_missingo](https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A)), Romanian, Slovenian (new translator, [like button](https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw)), Thai, Turkish (new translator, Murat_Efendi) and Ukrainian (new translator, Illia). equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: * Updated Arabic, Estonian, Finnish, Filipino (new translator, [_missingo](https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A)), Romanian, Slovenian (new translator, [like button](https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw)), Thai, Turkish (new translator, Murat_Efendi) and Ukrainian (new translator, Illia).LR equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: * Updated Arabic, Estonian, Finnish, Filipino (new translator, [_missingo](https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A)), Romanian, Slovenian (new translator, [like button](https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw)), Thai, Turkish (new translator, Murat_Efendi) and Ukrainian (new translator, Illia).x equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: * Updated Bulgarian, Estonian, Persian, Finnish, Hindi, Italian (new translator, [NEKO](https://www.youtube.com/@ilcanaledineko)), Japanese, Panjabi, Portuguese, Thai (new translator, toonnongaeoy), Chinese. equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <p>Updated Arabic, Estonian, Finnish, Filipino (new translator, <a href="https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A">_missingo</a>), Romanian, Slovenian (new translator, <a href="https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw">like button</a>), Thai, Turkish (new transla equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003444000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <p>Updated Arabic, Estonian, Finnish, Filipino (new translator, <a href="https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A">_missingo</a>), Romanian, Slovenian (new translator, <a href="https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw">like button</a>), Thai, Turkish (new translator, Murat_Efendi) and Ukrainian (new translator, Illia).</p> equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <p>Updated Arabic, Estonian, Finnish, Filipino (new translator, <a href="https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A">_missingo</a>), Romanian, Slovenian (new translator, equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: DJD320NEKOOhttps://www.youtube.com/@ilcanaledinekoFrin equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: DiDYROqhttps://www.youtube.com/channel/UCjij9nYlEyPl5aVYnJkvx2w equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: Galaxy6430qhttps://www.youtube.com/channel/UC_cnrLEXfwsZoQxEsM95HXg equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Thanks to [Mykm](https://github.com/yumiruuwu) and [Sojpan](https://twitter.com/Illeg__al) for their donations! If you want to donate as well, check out [CustomRP's website](https://www.customrp.xyz/?donate)! equals www.twitter.com (Twitter)
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: Ypsolqhttps://www.youtube.com/channel/UCxGqMDnXnEyVt4yugLeBpgA equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: _missingoqhttps://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: fil!CtrlAltDeliciousWhttps://www.youtube.com/c/CtrlAltDelicious_ equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: like buttonqhttps://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q'https://www.youtube.com/@ilcanaledineko equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q+https://www.youtube.com/c/CtrlAltDelicious_ equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw f equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw`, equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UC_cnrLEXfwsZoQxEsM95HXg equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UCjij9nYlEyPl5aVYnJkvx2w equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UCxGqMDnXnEyVt4yugLeBpgA equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A f equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A`, equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: h2cker.ddns.net
Source: global traffic	DNS traffic detected: DNS query: api.github.com
Source: global traffic	DNS traffic detected: DNS query: in.appcenter.ms
Source: global traffic	DNS traffic detected: DNS query: docs.customrp.xyz
Source: global traffic	DNS traffic detected: DNS query: api.gitbook.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: app.gitbook.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: 3448418481-files.gitbook.io

Source: unknown

HTTP traffic detected: POST /v1/spaces/5gJfBQC2iWNK0J953fo2/insights/track_view HTTP/1.1Host: api.gitbook.comConnection: keep-aliveContent-Length: 316sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/jsonAccept: */*Origin: https://docs.customrp.xyzSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2039306519.000000000CE92000.00000002.00000001.01000000.00000025.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-8ECJB.tmp.39.dr	String found in binary or memory: http://gdata.youtube.com/feeds/api/videos/
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.com
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.comd
Source: LocalylmNBbjoFA.exe, 00000004.00000002.1293177261.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Local_wGRdnhmmy.exe, 00000008.00000000.1281627960.00000000003C2000.00000002.00000001.01000000.00000008.sdmp, Local_wGRdnhmmy.exe, 00000008.00000002.3771976186.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_473.exe	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: CustomRP.exe, 0000001A.00000002.2000036377.00000000060C2000.00000002.00000001.01000000.00000015.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://objects.githubusercontent.com
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://objects.githubusercontent.comd
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://rentry.org/infer
Source: Local_wGRdnhmmy.exe, 00000008.00000002.3771976186.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2039306519.000000000CE92000.00000002.00000001.01000000.00000025.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-8ECJB.tmp.39.dr	String found in binary or memory: http://vimeo.com/api/v2/video/
Source: LocalwCRkvqzBqW.exe, 00000009.00000003.1286666525.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.exe, 00000009.00000003.1687422302.000000000285D000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000003.1678955414.000000000379E000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000003.1316837154.0000000003530000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.exe, 00000026.00000003.2249734653.000000000287E000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.exe, 00000026.00000003.1943467551.0000000002626000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.1954685395.0000000003610000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2220344770.00000000038B5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.bernamegeh.net%1
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: LocalwCRkvqzBqW.exe, 00000009.00000003.1286666525.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.exe, 00000009.00000003.1687422302.000000000285D000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000003.1678955414.000000000379E000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000003.1316837154.0000000003530000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.exe, 00000026.00000003.1943467551.000000000266A000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.1954685395.0000000003610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: LocalwCRkvqzBqW.exe, 00000009.00000003.1286666525.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.exe, 00000009.00000003.1689132652.0000000002220000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000003.1678955414.000000000379E000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000003.1316837154.0000000003530000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.exe, 00000026.00000003.1943467551.0000000002580000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.1954685395.0000000003610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.haysoft.org%1-k
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://4ng3l.com/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2011935141.0000000009C32000.00000002.00000001.01000000.0000001D.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://api.github.com/
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000321C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/m
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/105004829
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/105004829/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/108138526
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/108138526/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/110103989
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/110103989/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/114405601
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/114405601/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/117069059
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/117069059/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/120548332
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/120548332/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/120549358
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/120549358/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/125125712
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/125125712/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/129056474
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/129056474/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/130222051
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/130222051/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/133326853
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/133326853/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/136095786
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/136095786/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/139819712
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/139819712/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003882000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/14166878
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003882000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/14166878/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/14166878/assetsLR
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/14166878lB
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/142494604
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/142494604/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/143518737
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/143518737/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/143526226
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/143526226/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/148080647
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/148080647/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/152239004
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/152239004/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/154425515
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/154425515/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/157666663
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/157666663/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/161927593
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/161927593/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/164296253
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/164296253/assets
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/58285537
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/58285537/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003604000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/88253436/reactions
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/110203536
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/110203541
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/112261100
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/112261111
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/114590573
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/114590586
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/119318188
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/119318194
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/121475758
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/121475767
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/125388656
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/125388667
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/125391046
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/125391059
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/130700357
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/130700366
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/135177067
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/135177088
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/136382930
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/136382952
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/139951833
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/139951848
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/144228662
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/144228666
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/149770231
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/149770238
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/152240346
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/152240358
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/153460610
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/153460616
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/153475100
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/153478019
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/153478023
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/153478024
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/158351596
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/158521372
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/158521411
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/163576404
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/163576411
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/163576414
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/166298664
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/166298669
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/166298670
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/170377837
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/170377840
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/170377842
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/175494744
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/175494764
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/175494774
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/178176044
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/178176055
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/178176067
Source: CustomRP.exe, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/28138380
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/55362191
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/55362192
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/9840178
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/9840178lB
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003844000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/9847888
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003844000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/9847888lB
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releasesT
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000363C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.10
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.14.2
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003604000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.10
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.11
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.12
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.13
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.13.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.14
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.15
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.16
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.17
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.18
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.19
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.20
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.20.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.20.2
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.21
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.22
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.23
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.24
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.25
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.26
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.8
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.9
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003214000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/v1.0
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/v1.0LR
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000387A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/v1.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000387A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/v1.1LR
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000363C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.10
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.14.2
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000321C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.14.5
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003604000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.10
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.11
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.12
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.13
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.13.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.14
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.15
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.16
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.17
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.18
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.19
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.20
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.20.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.20.2
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.21
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.22
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.23
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.24
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.25
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.26
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.9
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003214000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/v1.0
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/v1.0LR
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000387A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/v1.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000387A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/v1.1LR
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000363C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repositories/158286982/releases?page=1
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000363C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repositories/158286982/releases?page=2
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repositories/158286982/releases?page=2lB
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repositories/158286982/releases?page=3
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000363C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repositories/158286982/releases?page=4
Source: CustomRP.exe, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maxim
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003214000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximma&
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039E8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000396E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A1F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000363C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/events
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/followers
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003896000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000385A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/followerslB
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/following
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000363C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/gists
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/orgs
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003896000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000385A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/orgsLR
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/received_events
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003896000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000385A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/received_eventsLR
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/repos
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003896000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000385A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/reposLR
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000363C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/starred
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/subscriptions
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003896000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000385A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/subscriptionsLR
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003896000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003857000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039E8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000396E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A1F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42LR
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003892000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD4000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039E4000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000396A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B89000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003932000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avatars.githubusercontent.com/u/2225711?v=4
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003819000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003853000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003892000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD4000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039E4000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000396A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B89000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003932000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avatars.githubusercontent.com/u/2225711?v=4lB
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://bayusopwan.github.io/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bio.link/maracesh)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://boefjim.com/
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003604000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://boosty.to/maximmax42)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://canel.cloud
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1028632852969033839/1028632881179922522/unknown.png
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1092251869490978816/1092264289215184978/image.png
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://cdn.discordapp.com/embed/avatars/1.png
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://cdn.discordapp.com/embed/avatars/1.pngE
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://cdn.discordapp.com/embed/avatars/4.png
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ci.appveyor.com/project/maximmax42/customrp)
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ci.appveyor.com/project/maximmax42/customrp/builds/49758186)
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ci.appveyor.com/project/maximmax42/customrp/builds/49898001)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003427000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ci.appveyor.com/project/maximmax42/customrp/builds/50076839)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ci.appveyor.com/project/maximmax42/customrp/builds/50162099)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://codiaz.com/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://codiaz.com/))
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://contact.mridungupta.eu.org
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contact.mridungupta.eu.org)).
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://digitarez.space/ref?customrp=default
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://discord.com/developers/applications/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://discord.gg/36Z4u8Q5uN
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg/36Z4u8Q5uN)).
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://discord.gg/Qb8RPjH6sD
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://discord.gg/hqvMaxBAew
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://discord.gg/reformedcityrp
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://discord.gg/zabPuE78ne
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://discordapp.com/api/oauth2/applications/
Source: LisectAVT_2403002A_473.exe, 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_473.exe, 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, LocalM_d_cKXRrV.exe, 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://docs.customrp.xyz/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.customrp.xyz/faq
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://docs.customrp.xyz/faq7gitHubPageToolStripMenuItem
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, explorer.exe, 0000001E.00000002.1795554233.0000000002AF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.1795105757.0000000002B1C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.1795554233.0000000002B1F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.1795554233.0000000002AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2386868192.0000000000AF4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000003.2385814386.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2387643410.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2387643410.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000003.2385814386.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://docs.customrp.xyz/setting-up
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://e-z.bio/shelovesrichi
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://fiverr.com/jugandomiguel
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://foolian.com/
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2011935141.0000000009C32000.00000002.00000001.01000000.0000001D.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://github.com
Source: CustomRP.exe, CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/BallaBotond
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/Benny-Kun
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/EdiRo
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/Electro7777
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/Erkkii
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/FiberAhmed
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2000036377.00000000060C2000.00000002.00000001.01000000.00000015.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: CustomRP.exe, 0000001A.00000002.2033794203.000000000BEF2000.00000002.00000001.01000000.00000023.sdmp, CustomRP.exe, 0000001A.00000002.2034389155.000000000BF18000.00000002.00000001.01000000.00000023.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.0000000005824000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Knagis/CommonMark.NET
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.0000000005700000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2033794203.000000000BEF2000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: https://github.com/Knagis/CommonMark.NET/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/NaaguYT/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/NaaguYT/)).
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/REGEX777
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/S3ntryPositive
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: CustomRP.exe	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b4919
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2002226777.00000000063B2000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2002226777.00000000063B2000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
Source: CustomRP.exe	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ff
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, is-LTL2H.tmp.14.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2008020216.0000000009AA2000.00000002.00000001.01000000.0000001B.sdmp, is-LTL2H.tmp.14.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/dragonGRaf1312/mycustomrichpresence
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2001708037.0000000006342000.00000002.00000001.01000000.00000018.sdmp, CustomRP.exe, 0000001A.00000002.1999866525.00000000060A2000.00000002.00000001.01000000.00000017.sdmp, CustomRP.exe, 0000001A.00000002.1999487049.0000000005A42000.00000002.00000001.01000000.00000016.sdmp, is-90JQC.tmp.14.dr, is-FETK3.tmp.39.dr, is-7ECM7.tmp.39.dr, is-CMKDC.tmp.14.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.raw
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2001708037.0000000006342000.00000002.00000001.01000000.00000018.sdmp, is-7ECM7.tmp.39.dr, is-CMKDC.tmp.14.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.rawH
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1999866525.00000000060A2000.00000002.00000001.01000000.00000017.sdmp, is-FETK3.tmp.39.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.rawX
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/fbrettnich
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/josephisticated
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2011935141.0000000009C32000.00000002.00000001.01000000.0000001D.sdmp, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://github.com/kInvalid
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/karimawii
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP
Source: LocalwCRkvqzBqW.exe, 00000009.00000003.1689132652.00000000022DA000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000003.1681172458.0000000002461000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.exe, 00000026.00000003.2257382932.000000000233A000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2227588928.0000000002411000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/issues
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1681172458.0000000002461000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2227588928.0000000002411000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.10/CustomRP.1.10.zip
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.14.2/CustomRP.1.14.2.exe
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.14.2/CustomRP.1.14.2.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000321C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.14.5/CustomRP.1.14.5.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.10/CustomRP.1.17.10.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.10/CustomRP.1.17.10.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.11/CustomRP.1.17.11.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.11/CustomRP.1.17.11.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.12/CustomRP.1.17.12.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.12/CustomRP.1.17.12.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.13.1/CustomRP.1.17.13.1.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.13.1/CustomRP.1.17.13.1.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.13/CustomRP.1.17.13.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.13/CustomRP.1.17.13.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.14/CustomRP.1.17.14.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.14/CustomRP.1.17.14.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.15/CustomRP.1.17.15.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.15/CustomRP.1.17.15.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.16/CustomRP.1.17.16.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.16/CustomRP.1.17.16.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.17/CustomRP.1.17.17.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.17/CustomRP.1.17.17.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.18/CustomRP.1.17.18.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.18/CustomRP.1.17.18.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.19/CustomRP.1.17.19.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.19/CustomRP.1.17.19.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.20.1/CustomRP.1.17.20.1.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.20.1/CustomRP.1.17.20.1.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.20.1/CustomRP.Hashes.1.17.20.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.20.2/CustomRP.1.17.20.2.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.20.2/CustomRP.1.17.20.2.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.20.2/CustomRP.Hashes.1.17.20.2
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.20/CustomRP.1.17.20.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.20/CustomRP.1.17.20.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.21/CustomRP.1.17.21.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.21/CustomRP.1.17.21.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.21/CustomRP.Hashes.1.17.21.txt
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.22/CustomRP.1.17.22.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.22/CustomRP.1.17.22.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.22/CustomRP.Hashes.1.17.22.txt
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.23/CustomRP.1.17.23.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.23/CustomRP.1.17.23.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.23/CustomRP.Hashes.1.17.23.txt
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.24/CustomRP.1.17.24.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.24/CustomRP.1.17.24.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.24/CustomRP.Hashes.1.17.24.txt
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.25/CustomRP.1.17.25.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.25/CustomRP.1.17.25.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.25/CustomRP.Hashes.1.17.25.txt
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.26/CustomRP.1.17.26.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.26/CustomRP.1.17.26.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.26/CustomRP.Hashes.1.17.26.txt
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.8/CustomRP.1.17.8.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.8/CustomRP.1.17.8.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.9/CustomRP.1.17.9.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.9/CustomRP.1.17.9.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003604000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17/CustomRP.1.17.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/v1.0/CustomRP.1.0.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000387A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/v1.1/CustomRP.1.1.zip
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.14.2
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.10
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.11
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.12
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.13
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.13.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.14
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.15
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.16
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.17
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.18
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.19
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.20
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.20.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.20.2
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.21
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.22
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.23
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.24
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.25
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.26
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.8
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.9
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003882000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/v1.0
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/v1.0lB
Source: LocalwCRkvqzBqW.exe, 00000009.00000003.1689132652.00000000022DA000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.exe, 00000026.00000003.2257382932.000000000233A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releasesa
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003896000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000385A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42LR
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/mr-Imran
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/nima-globals/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nima-globals/))
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2011935141.0000000009C32000.00000002.00000001.01000000.0000001D.sdmp, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://github.com/octokit/octokit.net
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2011935141.0000000009C32000.00000002.00000001.01000000.0000001D.sdmp, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://github.com/octokit/octokit.net&
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/yeongaori
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/yumiruuwu
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/yumiruuwu#Nicola
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.comd
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003195000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 00000023.00000002.1872050699.0000000005A02000.00000002.00000001.01000000.00000013.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://in.appcenter.ms
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 00000023.00000002.1872050699.0000000005A02000.00000002.00000001.01000000.00000013.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://in.appcenter.ms./logs?api-version=1.0.0
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003195000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://in.appcenter.ms/logs?api-version=1.0.0
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://isaidpower.dev/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://isaidpower.dev/))
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003427000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003444000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://japanesegirl99.muzes.xyz/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://japanesegirl99.muzes.xyz/))
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://jayjake.eu/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://jesperiz.carrd.co/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://jme.bio/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jme.bio/)
Source: LocalwCRkvqzBqW.exe, 00000009.00000000.1284288118.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, LisectAVT_2403002A_473.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://julian-idl.codes/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://ktsgod.carrd.co/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://leadattic.leadattic953788.repl.co/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://linktr.ee/404femboy
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://linktr.ee/KahpotVanilla
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003604000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://linktr.ee/dragongraf)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://linktr.ee/stn69
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://linktr.ee/westxlu
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://marcelgustin.de
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://meap.gg/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://mo-mahdihh.ir/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://mrcube.dev/
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/158286982/4e44c323-1ab5
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://opensea.io/collection/worldtowers
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://owo.yjb.gay/
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.0000000005700000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2033794203.000000000BEF2000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Knagis/CommonMark.NET/master/LICENSE.md
Source: CustomRP.exe	String found in binary or memory: https://raw.githubusercontent.com/dcurtis/markdown-mark/m
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.0000000005700000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2033794203.000000000BEF2000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: https://raw.githubusercontent.com/dcurtis/markdown-mark/master/png/32x20.png
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://senmn.tech/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://senmn.tech/)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://sionteam.com/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://steamcommunity.com/id/DragonTaki/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/id/DragonTaki/)).
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://sys-256.me/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://turashviliguro.github.io/daddyexe/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://twitter.com/Illeg__al
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://twitter.com/vvouivre
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/105004829/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/108138526/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/110103989/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/114405601/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/117069059/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/120548332/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/120549358/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/125125712/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/129056474/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/130222051/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/133326853/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/136095786/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/139819712/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003882000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/14166878/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/142494604/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/143518737/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/143526226/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/148080647/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/152239004/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/154425515/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/157666663/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/161927593/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/164296253/assets
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/58285537/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://woomyaisaka.com
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://woomyaisaka.com)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.customrp.xyz/?
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003427000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003444000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.customrp.xyz/?donate
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.customrp.xyz/?donate)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003427000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003444000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.customrp.xyz/donations/NearbyFish.png
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.customrp.xyz/donations/NearbyFish.png)
Source: LocalwCRkvqzBqW.exe, 00000009.00000003.1286666525.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.exe, 00000026.00000003.1943467551.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.customrp.xyzjhttps://github.com/maximmax42/Discord-CustomRP/issuesnhttps://github.com/ma
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: LocalwCRkvqzBqW.exe, 00000009.00000003.1290338237.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.exe, 00000009.00000003.1293081379.000000007FB00000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000000.1306434984.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, is-OD2S7.tmp.39.dr	String found in binary or memory: https://www.innosetup.com/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.maximmax42.ru
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: CustomRP.exe, 0000001A.00000002.2000036377.00000000060C2000.00000002.00000001.01000000.00000015.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2000036377.00000000060C2000.00000002.00000001.01000000.00000015.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: LocalwCRkvqzBqW.exe, 00000009.00000003.1290338237.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.exe, 00000009.00000003.1293081379.000000007FB00000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000000.1306434984.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, is-OD2S7.tmp.39.dr	String found in binary or memory: https://www.remobjects.com/ps
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.roblox.com/users/6757996/profile
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.roblox.com/users/6757996/profile)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.savethekiwi.nz/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.twitch.tv/greenrosie
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.youtube.com/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.youtube.com/c/CtrlAltDelicious_
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003444000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw))
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.youtube.com/channel/UC_cnrLEXfwsZoQxEsM95HXg
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCjij9nYlEyPl5aVYnJkvx2w
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCxGqMDnXnEyVt4yugLeBpgA
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003444000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A))
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003427000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003444000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://x.com/Nearbyfish1
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://x.com/Nearbyfish1)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://zag.rip

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.5:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.7:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.7:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.5:443 -> 192.168.2.7:49808 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: LocalM_d_cKXRrV.exe.0.dr, kl.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: LisectAVT_2403002A_473.exe, type: SAMPLE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3774758497.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_473.exe PID: 5604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LocalM_d_cKXRrV.exe PID: 4932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\server.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: LisectAVT_2403002A_473.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: LisectAVT_2403002A_473.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: LisectAVT_2403002A_473.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: LisectAVT_2403002A_473.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 8.0.Local_wGRdnhmmy.exe.3c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.LocalylmNBbjoFA.exe.200000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.LisectAVT_2403002A_473.exe.1f220f.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000008.00000000.1281627960.00000000003C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.1293177261.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000000.1266635863.0000000000215000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1281399824.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1256648440.0000000000206000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Users\user\server.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Code function: 8_2_00007FFAA9E65C76	8_2_00007FFAA9E65C76
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Code function: 8_2_00007FFAA9E66A22	8_2_00007FFAA9E66A22
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Code function: 8_2_00007FFAA9E68E19	8_2_00007FFAA9E68E19
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Code function: 8_2_00007FFAA9E61609	8_2_00007FFAA9E61609
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Code function: 8_2_00007FFAA9E61F41	8_2_00007FFAA9E61F41
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Code function: 8_2_00007FFAA9E69EAE	8_2_00007FFAA9E69EAE
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Code function: 8_2_00007FFAA9E6444D	8_2_00007FFAA9E6444D
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Code function: 8_2_00007FFAA9E611BD	8_2_00007FFAA9E611BD
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Code function: 22_2_00007FFAA9E50DEE	22_2_00007FFAA9E50DEE
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Code function: 22_2_00007FFAA9E51CA6	22_2_00007FFAA9E51CA6
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Code function: 23_2_00007FFAA9E50DEE	23_2_00007FFAA9E50DEE
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Code function: 23_2_00007FFAA9E51CA6	23_2_00007FFAA9E51CA6
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Code function: 24_2_00007FFAA9E80DEE	24_2_00007FFAA9E80DEE
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Code function: 24_2_00007FFAA9E81CA6	24_2_00007FFAA9E81CA6
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_060A4799	26_2_060A4799
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_060A305A	26_2_060A305A
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_060A317E	26_2_060A317E
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_060C6998	26_2_060C6998
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_060C33B9	26_2_060C33B9
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_060C3276	26_2_060C3276
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_06342FF5	26_2_06342FF5
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_063426E8	26_2_063426E8
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0634BB59	26_2_0634BB59
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_06345D0B	26_2_06345D0B
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_063B5C52	26_2_063B5C52
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_09AC8238	26_2_09AC8238
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE233EA	26_2_0CE233EA
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE2374E	26_2_0CE2374E
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE26B0C	26_2_0CE26B0C
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE97762	26_2_0CE97762
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE9519C	26_2_0CE9519C
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE97D93	26_2_0CE97D93
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A83DBF0	26_2_6A83DBF0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A896240	26_2_6A896240
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7B53A0	26_2_6A7B53A0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7FDA30	26_2_6A7FDA30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7D3AD0	26_2_6A7D3AD0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A810A70	26_2_6A810A70
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A806B80	26_2_6A806B80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A85AB90	26_2_6A85AB90
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7BBB60	26_2_6A7BBB60
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A814BB0	26_2_6A814BB0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7DABE0	26_2_6A7DABE0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A884B70	26_2_6A884B70
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A860890	26_2_6A860890
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7ED830	26_2_6A7ED830
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7EA8E0	26_2_6A7EA8E0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A80A9A0	26_2_6A80A9A0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7D6940	26_2_6A7D6940
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F2910	26_2_6A7F2910
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8A0940	26_2_6A8A0940
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A888950	26_2_6A888950
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A819E80	26_2_6A819E80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A853EA0	26_2_6A853EA0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7E3E30	26_2_6A7E3E30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A882EE0	26_2_6A882EE0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7DEEB0	26_2_6A7DEEB0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7B7EA0	26_2_6A7B7EA0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A82DF80	26_2_6A82DF80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A821F30	26_2_6A821F30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A856F30	26_2_6A856F30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8AEF35	26_2_6A8AEF35
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7B1F80	26_2_6A7B1F80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7E2C70	26_2_6A7E2C70
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A800CD0	26_2_6A800CD0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A887CD0	26_2_6A887CD0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7ECC10	26_2_6A7ECC10
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A833D80	26_2_6A833D80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A842D60	26_2_6A842D60
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8842D0	26_2_6A8842D0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7D2210	26_2_6A7D2210
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8372F0	26_2_6A8372F0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A802200	26_2_6A802200
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7FC2D0	26_2_6A7FC2D0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F52C0	26_2_6A7F52C0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A852250	26_2_6A852250
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8A6250	26_2_6A8A6250
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A89D3A0	26_2_6A89D3A0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A80E3C0	26_2_6A80E3C0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8413C0	26_2_6A8413C0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F3330	26_2_6A7F3330
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7C5300	26_2_6A7C5300
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7EC3B0	26_2_6A7EC3B0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE25760	26_2_0CE25760
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_060C5D9D	26_2_060C5D9D
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 35_2_055F6D5A	35_2_055F6D5A
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Code function: 40_2_00007FFAA9E50DEE	40_2_00007FFAA9E50DEE
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Code function: 40_2_00007FFAA9E51CA6	40_2_00007FFAA9E51CA6
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4FDBF0	42_2_6A4FDBF0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A556240	42_2_6A556240
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4753A0	42_2_6A4753A0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4BDA30	42_2_6A4BDA30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A493AD0	42_2_6A493AD0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A544B70	42_2_6A544B70
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A47BB60	42_2_6A47BB60
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A49ABE0	42_2_6A49ABE0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A51AB90	42_2_6A51AB90
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4C6B80	42_2_6A4C6B80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4AD830	42_2_6A4AD830
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4AA8E0	42_2_6A4AA8E0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A548950	42_2_6A548950
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A496940	42_2_6A496940
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A560940	42_2_6A560940
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4B2910	42_2_6A4B2910
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4CA9A0	42_2_6A4CA9A0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4A3E30	42_2_6A4A3E30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A542EE0	42_2_6A542EE0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4D9E80	42_2_6A4D9E80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A477EA0	42_2_6A477EA0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A513EA0	42_2_6A513EA0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A49EEB0	42_2_6A49EEB0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A516F30	42_2_6A516F30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A56EF35	42_2_6A56EF35
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4E1F30	42_2_6A4E1F30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A471F80	42_2_6A471F80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4EDF80	42_2_6A4EDF80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4A2C70	42_2_6A4A2C70
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4ACC10	42_2_6A4ACC10
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A547CD0	42_2_6A547CD0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4C0CD0	42_2_6A4C0CD0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4F3D80	42_2_6A4F3D80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A512250	42_2_6A512250
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A566250	42_2_6A566250
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4C2200	42_2_6A4C2200
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A492210	42_2_6A492210
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A5442D0	42_2_6A5442D0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4B52C0	42_2_6A4B52C0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4BC2D0	42_2_6A4BC2D0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4F72F0	42_2_6A4F72F0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A485300	42_2_6A485300
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4CE3C0	42_2_6A4CE3C0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A5013C0	42_2_6A5013C0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A55D3A0	42_2_6A55D3A0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4AC3B0	42_2_6A4AC3B0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A481040	42_2_6A481040
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A47F050	42_2_6A47F050
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A48E050	42_2_6A48E050
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A560070	42_2_6A560070
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4CC090	42_2_6A4CC090
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A516170	42_2_6A516170
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A51C110	42_2_6A51C110
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A5181C0	42_2_6A5181C0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A510650	42_2_6A510650
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A50C640	42_2_6A50C640
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4B1670	42_2_6A4B1670
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4C4720	42_2_6A4C4720
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4B04E0	42_2_6A4B04E0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A526580	42_2_6A526580

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: String function: 6A846580 appears 77 times
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: String function: 6A7C7970 appears 60 times
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: String function: 6A7D0FA0 appears 171 times
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: String function: 6A490FA0 appears 160 times

Sample file is different than original file name gathered from version info

Source: LisectAVT_2403002A_473.exe, 00000000.00000000.1257651766.0000000000856000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedsdsssss.Scr4 vs LisectAVT_2403002A_473.exe
Source: LisectAVT_2403002A_473.exe	Binary or memory string: OriginalFileName vs LisectAVT_2403002A_473.exe
Source: LisectAVT_2403002A_473.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs LisectAVT_2403002A_473.exe
Source: LisectAVT_2403002A_473.exe	Binary or memory string: OriginalFilenamesdsdsd.Scr4 vs LisectAVT_2403002A_473.exe
Source: LisectAVT_2403002A_473.exe	Binary or memory string: OriginalFilenamedsdsssss.Scr4 vs LisectAVT_2403002A_473.exe

Uses 32bit PE files

Source: LisectAVT_2403002A_473.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: LisectAVT_2403002A_473.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: LisectAVT_2403002A_473.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: LisectAVT_2403002A_473.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: LisectAVT_2403002A_473.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 8.0.Local_wGRdnhmmy.exe.3c0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.0.LocalylmNBbjoFA.exe.200000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.LisectAVT_2403002A_473.exe.1f220f.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000008.00000000.1281627960.00000000003C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.1293177261.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000000.1266635863.0000000000215000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1281399824.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1256648440.0000000000206000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, maC2rNtx1b5CL8WjrQbnsVoyoeFzRupXiO2bEJRFmnDcFz3f3xmj4wktvQXPtr.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, 7OJWizdBeSlGH7qWtAtRFahk6E6v64SjpzYbrWqJGw9FBYpyMJWB7kDG0qmHYq.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, 7OJWizdBeSlGH7qWtAtRFahk6E6v64SjpzYbrWqJGw9FBYpyMJWB7kDG0qmHYq.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal90.troj.spyw.evad.winEXE@51/412@73/10

Source: C:\Users\user\server.exe	Code function: 16_2_011F145E AdjustTokenPrivileges,		16_2_011F145E
Source: C:\Users\user\server.exe	Code function: 16_2_011F1427 AdjustTokenPrivileges,		16_2_011F1427

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe

File created: C:\Users\user\AppData\LocalM_d_cKXRrV.exe

Jump to behavior

Source: C:\Users\user\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\aeef8aa7871139dda7dc4a2275ef7f4f
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Mutant created: \Sessions\1\BaseNamedObjects\CustomRP
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Users\user\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Mutant created: \Sessions\1\BaseNamedObjects\GK5KyBNuhcePlPdJ

Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe

File created: C:\Users\user~1\AppData\Local\Temp\is-GPIMV.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process created: C:\Windows\SysWOW64\explorer.exe

Source: LisectAVT_2403002A_473.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: LisectAVT_2403002A_473.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: CustomRP.exe, 0000001A.00000002.2046982098.000000006A8BA000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: CustomRP.exe, CustomRP.exe, 0000001A.00000002.2046982098.000000006A8BA000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: CustomRP.exe, CustomRP.exe, 0000002A.00000002.3865639119.000000006A582000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: CustomRP.exe, CustomRP.exe, 0000001A.00000002.2046982098.000000006A8BA000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: CustomRP.exe, CustomRP.exe, 0000001A.00000002.2046982098.000000006A8BA000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: CustomRP.exe, CustomRP.exe, 0000001A.00000002.2046982098.000000006A8BA000.00000002.00000001.01000000.0000001A.sdmp, CustomRP.exe, 0000002A.00000002.3865639119.000000006A582000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: CustomRP.exe, CustomRP.exe, 0000001A.00000002.2046982098.000000006A8BA000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: CustomRP.exe	String found in binary or memory: user/codespaces/{0}/stop
Source: CustomRP.exe	String found in binary or memory: user/codespaces/{0}/stop
Source: CustomRP.exe	String found in binary or memory: GET$/app/installations/{installation_id}
Source: CustomRP.exe	String found in binary or memory: /app/installations
Source: CustomRP.exe	String found in binary or memory: GET$/user/installation/{id}/repositories
Source: CustomRP.exe	String found in binary or memory: /installation/repositories
Source: CustomRP.exe	String found in binary or memory: /repositories/{id}/installation
Source: CustomRP.exe	String found in binary or memory: /users/{username}/installation
Source: CustomRP.exe	String found in binary or memory: /orgs/{org}/installation
Source: CustomRP.exe	String found in binary or memory: GET"/repos/{owner}/{repo}/installation
Source: CustomRP.exe	String found in binary or memory: GET2/app/installations/{installation_id}/access_tokens
Source: CustomRP.exe	String found in binary or memory: /user/installations
Source: CustomRP.exe	String found in binary or memory: users/{0}/installation
Source: CustomRP.exe	String found in binary or memory: repositories/{0}/installation
Source: CustomRP.exe	String found in binary or memory: orgs/{0}/installation
Source: CustomRP.exe	String found in binary or memory: repos/{0}/{1}/installation
Source: CustomRP.exe	String found in binary or memory: user/installations/{0}/repositories
Source: CustomRP.exe	String found in binary or memory: app/installations
Source: CustomRP.exe	String found in binary or memory: app/installations/{0}/access_tokens
Source: CustomRP.exe	String found in binary or memory: POST&/user/codespaces/{codespace_name}/stop
Source: CustomRP.exe	String found in binary or memory: POST&/user/codespaces/{codespace_name}/stop
Source: CustomRP.exe	String found in binary or memory: user/installations
Source: CustomRP.exe	String found in binary or memory: app/installations/{0}
Source: CustomRP.exe	String found in binary or memory: <!--StartFragment-->
Source: CustomRP.exe	String found in binary or memory: !--StartFragment-->
Source: CustomRP.exe	String found in binary or memory: POST&/user/codespaces/{codespace_name}/stop
Source: CustomRP.exe	String found in binary or memory: POST&/user/codespaces/{codespace_name}/stop
Source: CustomRP.exe	String found in binary or memory: /users/{username}/installation
Source: CustomRP.exe	String found in binary or memory: /repositories/{id}/installation
Source: CustomRP.exe	String found in binary or memory: GET$/app/installations/{installation_id}
Source: CustomRP.exe	String found in binary or memory: /app/installations
Source: CustomRP.exe	String found in binary or memory: GET"/repos/{owner}/{repo}/installation
Source: CustomRP.exe	String found in binary or memory: /orgs/{org}/installation
Source: CustomRP.exe	String found in binary or memory: GET2/app/installations/{installation_id}/access_tokens
Source: CustomRP.exe	String found in binary or memory: /user/installations
Source: CustomRP.exe	String found in binary or memory: GET$/user/installation/{id}/repositories
Source: CustomRP.exe	String found in binary or memory: /installation/repositories
Source: CustomRP.exe	String found in binary or memory: user/codespaces/{0}/stop
Source: CustomRP.exe	String found in binary or memory: user/codespaces/{0}/stop
Source: CustomRP.exe	String found in binary or memory: repos/{0}/{1}/installation
Source: CustomRP.exe	String found in binary or memory: user/installations/{0}/repositories
Source: CustomRP.exe	String found in binary or memory: app/installations
Source: CustomRP.exe	String found in binary or memory: app/installations/{0}/access_tokens
Source: CustomRP.exe	String found in binary or memory: user/installations
Source: CustomRP.exe	String found in binary or memory: app/installations/{0}
Source: CustomRP.exe	String found in binary or memory: users/{0}/installation
Source: CustomRP.exe	String found in binary or memory: orgs/{0}/installation
Source: CustomRP.exe	String found in binary or memory: repositories/{0}/installation
Source: LisectAVT_2403002A_473.exe	String found in binary or memory: /LOADINF="filename"

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe "C:\Users\user\Desktop\LisectAVT_2403002A_473.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process created: C:\Users\user\AppData\LocalM_d_cKXRrV.exe "C:\Users\user\AppData\LocalM_d_cKXRrV.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process created: C:\Users\user\AppData\LocalylmNBbjoFA.exe "C:\Users\user\AppData\LocalylmNBbjoFA.exe"
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process created: C:\Users\user\AppData\Local_wGRdnhmmy.exe "C:\Users\user\AppData\Local_wGRdnhmmy.exe"
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process created: C:\Users\user\AppData\LocalwCRkvqzBqW.exe "C:\Users\user\AppData\LocalwCRkvqzBqW.exe"
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Process created: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp "C:\Users\user~1\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp" /SL5="$20408,5483573,1081856,C:\Users\user\AppData\LocalwCRkvqzBqW.exe"
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process created: C:\Users\user\server.exe "C:\Users\user\server.exe"
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Local_wGRdnhmmy" /tr "C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe "C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe "C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe"
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process created: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe "C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe"
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" https://docs.customrp.xyz/setting-up
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://docs.customrp.xyz/setting-up
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1936,i,15522809999631733676,11133617490285214044,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process created: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe "C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe"
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process created: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe "C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe"
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Process created: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp "C:\Users\user~1\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp" /SL5="$404B2,5498303,1081856,C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process created: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe "C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process created: C:\Users\user\AppData\LocalM_d_cKXRrV.exe "C:\Users\user\AppData\LocalM_d_cKXRrV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process created: C:\Users\user\AppData\LocalylmNBbjoFA.exe "C:\Users\user\AppData\LocalylmNBbjoFA.exe"	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process created: C:\Users\user\server.exe "C:\Users\user\server.exe"	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process created: C:\Users\user\AppData\Local_wGRdnhmmy.exe "C:\Users\user\AppData\Local_wGRdnhmmy.exe"	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process created: C:\Users\user\AppData\LocalwCRkvqzBqW.exe "C:\Users\user\AppData\LocalwCRkvqzBqW.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Local_wGRdnhmmy" /tr "C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe"	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Process created: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp "C:\Users\user~1\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp" /SL5="$20408,5483573,1081856,C:\Users\user\AppData\LocalwCRkvqzBqW.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process created: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe "C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe"	Jump to behavior
Source: C:\Users\user\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" https://docs.customrp.xyz/setting-up
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process created: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe "C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://docs.customrp.xyz/setting-up
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1936,i,15522809999631733676,11133617490285214044,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Process created: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp "C:\Users\user~1\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp" /SL5="$404B2,5498303,1081856,C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe"
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process created: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe "C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe"

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: mscoree.dll
Source: C:\Users\user\server.exe	Section loaded: apphelp.dll
Source: C:\Users\user\server.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\server.exe	Section loaded: version.dll
Source: C:\Users\user\server.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\server.exe	Section loaded: wldp.dll
Source: C:\Users\user\server.exe	Section loaded: profapi.dll
Source: C:\Users\user\server.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\server.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\server.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\server.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\server.exe	Section loaded: mswsock.dll
Source: C:\Users\user\server.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\server.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\server.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: oleacc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: ieframe.dll
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: version.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll
Source: C:\Windows\explorer.exe	Section loaded: secur32.dll
Source: C:\Windows\explorer.exe	Section loaded: mlang.dll
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: pcacli.dll
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll
Source: C:\Windows\explorer.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: windows.globalization.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: bcp47mrm.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: globinputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: windows.ui.dll

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Automated click: I accept the agreement

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright (c) 2020-2024 maximmax42Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.---Upon the first launch of the app you will be asked permission to send analytics data to the developer. You can still use the app without any restriction if you don't consent.CustomRP collects this non-personal information during the usage of the app:- OS Version- OS Language- Device Model (laptop or motherboard)- Country based on OS settings (does not use geolocation)- App VersionAs well as these user interactions:- Connection status to Discord- Connection errors (wrong ID etc)- Connection failure (Discord isn't running etc)- Updated presence: - Does it have party? - What timestamp type is used? - Does it have a big image set? - Does it have a small image set? - How many buttons are set?- New version was ignored: - Which version?- Saved a preset- Loaded a preset- Clicked on a supporter/translator menu item: - Name of the supporter/translator - URL of the supporter/translator- Opened "Pipe select" window- Opened "About" windowCrash reports send your settings (except ID) to help understand the cause of the crash.This information is collected to understand how the application is used improve features and catch unexpected crashes as soon as they appear. The information is stored in the Microsoft App Center for 28 days and is not shared with any third parties.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright (c) 2020-2024 maximmax42Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.---Upon the first launch of the app you will be asked permission to send analytics data to the developer. You can still use the app without any restriction if you don't consent.CustomRP collects this non-personal information during the usage of the app:- OS Version- OS Language- Device Model (laptop or motherboard)- Country based on OS settings (does not use geolocation)- App VersionAs well as these user interactions:- Connection status to Discord- Connection errors (wrong ID etc)- Connection failure (Discord isn't running etc)- Updated presence: - Does it have party? - What timestamp type is used? - Does it have a big image set? - Does it have a small image set? - How many buttons are set?- New version was ignored: - Which version?- Saved a preset- Loaded a preset- Clicked on a supporter/translator menu item: - Name of the supporter/translator - URL of the supporter/translator- Opened "Pipe select" window- Opened "About" windowCrash reports send your settings (except ID) to help understand the cause of the crash.This information is collected to understand how the application is used improve features and catch unexpected crashes as soon as they appear. The information is stored in the Microsoft App Center for 28 days and is not shared with any third parties.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright (c) 2020-2024 maximmax42Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.---Upon the first launch of the app you will be asked permission to send analytics data to the developer. You can still use the app without any restriction if you don't consent.CustomRP collects this non-personal information during the usage of the app:- OS Version- OS Language- Device Model (laptop or motherboard)- Country based on OS settings (does not use geolocation)- App VersionAs well as these user interactions:- Connection status to Discord- Connection errors (wrong ID etc)- Connection failure (Discord isn't running etc)- Updated presence: - Does it have party? - What timestamp type is used? - Does it have a big image set? - Does it have a small image set? - How many buttons are set?- New version was ignored: - Which version?- Saved a preset- Loaded a preset- Clicked on a supporter/translator menu item: - Name of the supporter/translator - URL of the supporter/translator- Opened "Pipe select" window- Opened "About" windowCrash reports send your settings (except ID) to help understand the cause of the crash.This information is collected to understand how the application is used improve features and catch unexpected crashes as soon as they appear. The information is stored in the Microsoft App Center for 28 days and is not shared with any third parties.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright (c) 2020-2024 maximmax42Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.---Upon the first launch of the app you will be asked permission to send analytics data to the developer. You can still use the app without any restriction if you don't consent.CustomRP collects this non-personal information during the usage of the app:- OS Version- OS Language- Device Model (laptop or motherboard)- Country based on OS settings (does not use geolocation)- App VersionAs well as these user interactions:- Connection status to Discord- Connection errors (wrong ID etc)- Connection failure (Discord isn't running etc)- Updated presence: - Does it have party? - What timestamp type is used? - Does it have a big image set? - Does it have a small image set? - How many buttons are set?- New version was ignored: - Which version?- Saved a preset- Loaded a preset- Clicked on a supporter/translator menu item: - Name of the supporter/translator - URL of the supporter/translator- Opened "Pipe select" window- Opened "About" windowCrash reports send your settings (except ID) to help understand the cause of the crash.This information is collected to understand how the application is used improve features and catch unexpected crashes as soon as they appear. The information is stored in the Microsoft App Center for 28 days and is not shared with any third parties.I &accept the agreementI &do not accept the agreement&NextCancel

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B1949CF-3AC6-43B8-95BF-5517797E2CEA}_is1

Jump to behavior

Source: LisectAVT_2403002A_473.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LisectAVT_2403002A_473.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: LisectAVT_2403002A_473.exe

Static file information: File size 6717450 > 1048576

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: LisectAVT_2403002A_473.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x663000

Source: LisectAVT_2403002A_473.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Microsoft.AppCenter.Crashes.WindowsDesktop\Release\net472\Microsoft.AppCenter.Crashes.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 00000023.00000002.1870099006.00000000055F2000.00000002.00000001.01000000.00000012.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\customrp\CustomRPC\obj\Release\CustomRP.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: is-L16CA.tmp.39.dr
Source:	Binary string: c:\Users\Sentinel\Desktop\HTMLRenderer\HTML-Renderer\Source\HtmlRenderer.WinForms\obj\Release\HtmlRenderer.WinForms.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2038683267.000000000CE22000.00000002.00000001.01000000.00000024.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.1999866525.00000000060A2000.00000002.00000001.01000000.00000017.sdmp, is-FETK3.tmp.39.dr
Source:	Binary string: c:\Users\Sentinel\Desktop\HTMLRenderer\HTML-Renderer\Source\HtmlRenderer\obj\Release\HtmlRenderer.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2039306519.000000000CE92000.00000002.00000001.01000000.00000025.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-8ECJB.tmp.39.dr
Source:	Binary string: /_/Src/Newtonsoft.Json.Bson/obj/Release/net45/Newtonsoft.Json.Bson.pdbSHA256Z source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2002226777.00000000063B2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256I source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1999866525.00000000060A2000.00000002.00000001.01000000.00000017.sdmp, is-FETK3.tmp.39.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.1999487049.0000000005A42000.00000002.00000001.01000000.00000016.sdmp, is-90JQC.tmp.14.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2000036377.00000000060C2000.00000002.00000001.01000000.00000015.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2001708037.0000000006342000.00000002.00000001.01000000.00000018.sdmp, is-7ECM7.tmp.39.dr, is-CMKDC.tmp.14.dr
Source:	Binary string: D:\a\cb\cb\cb\bld\bin\e_sqlite3\win\v142\plain\x86\e_sqlite3.pdb source: CustomRP.exe, 0000001A.00000002.2046982098.000000006A8BA000.00000002.00000001.01000000.0000001A.sdmp, CustomRP.exe, 0000002A.00000002.3865639119.000000006A58B000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\Projects\Visual Studio\discord-rpc-csharp\DiscordRPC\obj\Release\net45\DiscordRPC.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2008788803.0000000009AC2000.00000002.00000001.01000000.0000001C.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Octokit.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2011935141.0000000009C32000.00000002.00000001.01000000.0000001D.sdmp, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\_work\1\Tooling\obj\Release\System.Net.Http.Formatting\System.Net.Http.Formatting.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, is-OARCU.tmp.14.dr
Source:	Binary string: c:\Users\Sentinel\Desktop\HTMLRenderer\HTML-Renderer\Source\HtmlRenderer.WinForms\obj\Release\HtmlRenderer.WinForms.pdb, source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2038683267.000000000CE22000.00000002.00000001.01000000.00000024.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json.Bson/obj/Release/net45/Newtonsoft.Json.Bson.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdbSHA256R source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1999487049.0000000005A42000.00000002.00000001.01000000.00000016.sdmp, is-90JQC.tmp.14.dr
Source:	Binary string: E:\OneDrive\Programming\CommonMark\CommonMark\obj\v4.5\Release\CommonMark.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.0000000005700000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2033794203.000000000BEF2000.00000002.00000001.01000000.00000023.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.0000000005824000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Microsoft.AppCenter.WindowsDesktop\Release\net472\Microsoft.AppCenter.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 00000023.00000002.1872050699.0000000005A02000.00000002.00000001.01000000.00000013.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\Visual Studio\discord-rpc-csharp\DiscordRPC\obj\Release\net45\DiscordRPC.pdbSHA256^ source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2008788803.0000000009AC2000.00000002.00000001.01000000.0000001C.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2001708037.0000000006342000.00000002.00000001.01000000.00000018.sdmp, is-7ECM7.tmp.39.dr, is-CMKDC.tmp.14.dr
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, is-LTL2H.tmp.14.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Microsoft.AppCenter.Analytics.WindowsDesktop\Release\net472\Microsoft.AppCenter.Analytics.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 00000023.00000002.1870476118.0000000005662000.00000002.00000001.01000000.00000014.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-313PG.tmp.14.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Numerics.Vectors/net46\System.Numerics.Vectors.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Microsoft.AppCenter.Analytics.WindowsDesktop\Release\net472\Microsoft.AppCenter.Analytics.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 00000023.00000002.1870476118.0000000005662000.00000002.00000001.01000000.00000014.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-313PG.tmp.14.dr
Source:	Binary string: Octokit.pdb source: CustomRP.exe, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2000036377.00000000060C2000.00000002.00000001.01000000.00000015.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Microsoft.AppCenter.Crashes.WindowsDesktop\Release\net472\Microsoft.AppCenter.Crashes.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 00000023.00000002.1870099006.00000000055F2000.00000002.00000001.01000000.00000012.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: -C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: is-L16CA.tmp.39.dr
Source:	Binary string: C:\projects\customrp\CustomRPC\obj\Release\CustomRP.pdb< source: CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Microsoft.AppCenter.WindowsDesktop\Release\net472\Microsoft.AppCenter.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 00000023.00000002.1872050699.0000000005A02000.00000002.00000001.01000000.00000013.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, OGwlqciXr0ElwpPhx2ELvF3kNaKNl.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{B2XkNRIfMeAoP3U1ztvWAdAGcXy7w.uIyunLolBqwllVVDZCX56D0GqUWs9,B2XkNRIfMeAoP3U1ztvWAdAGcXy7w.njXy4hiAdARQRipLtAeJC4sjnK9sS,B2XkNRIfMeAoP3U1ztvWAdAGcXy7w._8H5NqAIy8CMvYmRQknkcFQC9tU1WP,B2XkNRIfMeAoP3U1ztvWAdAGcXy7w.CkIDfYNhpg1tAG2PGKbvUA0Elq5gc,_7OJWizdBeSlGH7qWtAtRFahk6E6v64SjpzYbrWqJGw9FBYpyMJWB7kDG0qmHYq._56a6fVyzDD90QtgdUY86C4nJ5FcDMc0CSRvP8HhqehLuna7wrFL1eT5ApuxzQp()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, OGwlqciXr0ElwpPhx2ELvF3kNaKNl.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{BHOQj9Xxu0vKZWs0HCJniDmXP4v2XvbRoGZ4tJwPKPjFzrMDJQMAj42I9Cgduv[2],_7OJWizdBeSlGH7qWtAtRFahk6E6v64SjpzYbrWqJGw9FBYpyMJWB7kDG0qmHYq.Czxd4ExSuH2IoIE21QwPUiDLNtvW8418ZYcwYKefxGmHL8jlQSY3RwCv5av4hp(_7OJWizdBeSlGH7qWtAtRFahk6E6v64SjpzYbrWqJGw9FBYpyMJWB7kDG0qmHYq.xETPFICgM0aL3df1wQojEnxodtq7BR6UQhsrIJ7HTsKmFfeH0PBE8bOUNm5S6Q(BHOQj9Xxu0vKZWs0HCJniDmXP4v2XvbRoGZ4tJwPKPjFzrMDJQMAj42I9Cgduv[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, OGwlqciXr0ElwpPhx2ELvF3kNaKNl.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { BHOQj9Xxu0vKZWs0HCJniDmXP4v2XvbRoGZ4tJwPKPjFzrMDJQMAj42I9Cgduv[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: LocalM_d_cKXRrV.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, OGwlqciXr0ElwpPhx2ELvF3kNaKNl.cs	.Net Code: b0T66TwgdsFDp8EZEffofaWtyiZofgzderQP7qVS0bSagCaeGgxQu9i3qeHA93 System.AppDomain.Load(byte[])
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, OGwlqciXr0ElwpPhx2ELvF3kNaKNl.cs	.Net Code: M8I3cEkZRWMPHu1vFgN0xsR55eN42qZ9DbCuIpeqvEexFu6tCe9FqQBmtTtwLP System.AppDomain.Load(byte[])
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, OGwlqciXr0ElwpPhx2ELvF3kNaKNl.cs	.Net Code: M8I3cEkZRWMPHu1vFgN0xsR55eN42qZ9DbCuIpeqvEexFu6tCe9FqQBmtTtwLP

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_05A44054 push cs; retf	26_2_05A44056
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_060AC6E7 push ebp; ret	26_2_060AC6F4
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_063456FA push ss; iretd	26_2_06345702
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_06347F11 push cs; ret	26_2_06347F12
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE273FB push cs; ret	26_2_0CE273FC
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE2735B push cs; ret	26_2_0CE273AE
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE26B0C push cs; ret	26_2_0CE2735A
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE9A5C4 pushfd ; ret	26_2_0CE9A5C5
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A5797A3 push ecx; ret	42_2_6A5797B6

Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, GzXr2Mcaar8f5V6mmaBIB3Qmorj8608N3NfyZiCrxOwn2Ubo81jp38Hf8K3vMc.cs	High entropy of concatenated method names: 'du5SXtDXjK7rxbJy4PxNJAvPkHLEEga4cRRX3Uzlof712GlhX8UmXsovle68I2', 'uT5h9qbRmgXiVno2NHRp0dZ9Ou8hsh2oPCFpLE0xyTaQqQI6jKIxzTtW3NhCMr', 'dsy4E13gzwzp4kPRjHqKdmBHOlXv8o7Fje8lBVDkSmwodj9', 'N2FSOkJ1ugfPu145SuZXVw', 'f0tRf2MdTZq7L5LlONzuiw', 'dbMHnFKIeeSwNibDPwj8SE', '_3ghl34YLCwxVYQtEocF8f5', 'l8UizUq2H4XxpLqYe92t2j', 'S91pEFYlKlco1QKzzZMZfm', '_6HeBPUxqxMgAIM5UUHUrm4'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, B2XkNRIfMeAoP3U1ztvWAdAGcXy7w.cs	High entropy of concatenated method names: 'o4Bj8Ixe8j0oU8YFOcYN7loNS87K4Ka8i2agGqOoPkbK6I1', 'Nn9suwVJNSDNYT7iSiCy7jSvy1yOfqftKk2DNj3XgjePNde', 'URWXZ7ayLW0VIa7GuvQo9lIeZQwD1SGkbHrPzIT2X2PRrAK', 'CaZG7odOBK6amSleOUQGxAiO8xLBV7dHJcemdPZMcsNKkWq'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, OV7l01RbiiW89yaMq3qQg9koJXcBS.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'O5JzNJEG3PhQS6ln6GcOZ2TYp3yqJcdn0b8GZ7za0m3XkNW', 'dcOe1l9QEtqry8tmuDudpZI3EXOvdr2qYUEqt4J5lLr47Ek', 'NA4GPsgGZiBBp3tzdllO9ePmO7aISQt4ILjiyq7LMqDDrOH', 'X4gyqK7y4EwljHiEo3rrrYwiXW65uBpBmno4GdJ5Zq8ZYYJ'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, maC2rNtx1b5CL8WjrQbnsVoyoeFzRupXiO2bEJRFmnDcFz3f3xmj4wktvQXPtr.cs	High entropy of concatenated method names: 'PbgU60La5wMiOOBDsscLSxUNbiKOvj6sxrT7NqSaqSy3GC64igGPGh5dvQmjKt', 'bnqE7DfdyEbT1wKyOnUXP4u9h3lYot642fosF9CMPPus5LdqIsrZUVKvmmiOdP', 'atbh9Cdgzec6XSqA9Ne7VNfFE2co9hV9ZlwTj84ZKwTfZVF2QvXz7wsaHKjahQ', 'QE1MyDqPqvkr297huzPuLjuJEJajFv0e3gqf0XvOz1MV8aYBO1sf5ndz1FKgGVAHBE7usKScMkRqgVD', 'f8bNamCkcRfcKXp8J2fcxSffR5Rr7ADZMywkWuQvBskDxmrVnO6U2lTTYZUnEVJwGnrDWDBuUknKlrB', '_0QAaRtUV1VJCIOgySpWpZx8I27aqzJpf7vaeOYulZ7qwW6PVbAhupe1QRMSJA8MOVZ0mE83Y2g781FW', '_5yRme6KIBsF41sHTlL6VUf5Tz325nSFh6VOwgiD4GQJei4oi12zaSpwv2VyPGL8qBphTeXwI82yLHhG', 'YCkdJzbCDBB48JgLJLqkHfAe8ENhUFT7A19QGSpvhqv24oa29tyQ5rgdo8IeBvWPi1mLS5hntL8OUXl', '_3IPxK04d2V3dRZBmQV7kCoe5Bcp9o2blxLvlzZpu7INNz8sgDUeCvpI5cfwVnwlLUMNDNXFQFi7qIB9', 'bP3dUM8BjODBVCVTo9dtcQekr2QJyK6yhXy9ofrcQZfrj3oLig1q4jipDZ8AudijecughlGaa3FWKeC'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, R0hg9jZbVaevTyXey4uE49a6kWot1.cs	High entropy of concatenated method names: 'cId9vuX6TEhHyg6I0toB205OFwxeI', 'Zp4B0r08IvRR4hGaiV0dO6hQDgMJL', 'PjVOM1LfZ7AszjFVweGGWRU2TGhC3', 'f9hgo30SjlAFBRGST47WcTQEBO56v', 'eBqF06VZUqCitvWfEEtqYxk0gYNkM', 'rDDPWoftRsad1LJMYH1Oxwe645mP6', '_5d8fYQqTSWpy4ca35vixlzNQdfigR', 'f46SutHIvAHjSf0T1fbXj6Sliga05', 'xDurXySakyaZbpkWXqPXuhWTTEk3H', '_2UWRUbXIWIuRA0L95M2bEnUoZtVRE'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, ARp5zTXjKKYFtcoXWqDeIcmGA17yFtlsomL8MTAUPdEkHWKf5y5JsMlRGkcqSq.cs	High entropy of concatenated method names: 'B6WqiBeg2rO0jU2a9fIoSqFhOlN12d4Dvjhhj6t9uRq1FpOxG729NYRCHFPQoU', 'ozudnqly6dI3zP6pVKLmVCpcDCSveBvhWT3CTLQFaXEHRDeaUuqTCxcLFHQfiEoSdz9h2Yf5bY5KALf', 'NN6LL0xWQRPszZ2MdNx1H69kcgVCuflHWjFSGy048sSgbsmXIsvwnraAbVKXIx90eXXjgt85VDSEALb', 'xv5ZjhAyDgTqUlXyQ2pob1H9fK4myJeQck0hc4GFWIvVS6s71I3wxhyzn8k3qyZLUsyHZwoqKZsE1oH', 'KMoAxYQHhTasYTiTp5YbGYXyHrSl9Du19NBB3uUw3hjmUvMkvjtebus1Kc17gNkj9SiG31nD6zDi6qH'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, KM7vndHufqEm3GqJ6ZRODL27U0yoO.cs	High entropy of concatenated method names: 'IEr0mcA4RL7j1ayGSUFmuIaWbUGdI', 'eaw022wAHiws1ctBjAnTu5oV8I22i', 'dVbc4BqEmQPuQsxRBA4BIWhoP8EU1', 'CTxrcJdigva9oOH0bVdrYoQtksoIW', 'i2Pucbl9eBekGVf86cIN0zJxNTKtP', 'wFiPuYdB58l10IQAtE4uuyaZuiLPX', 'M5O12Kq7UYOxerWJEWymCmJwkOrNH', 'HAKuAd5F6XFEEGozK6npGZJ5xguI6', 'v8SuV2VTmiTxn0BGEqkhxtJEE4rXU', 'z0Q01kZYW3jpdlfdoYiqGyzfQObFt'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, 7OJWizdBeSlGH7qWtAtRFahk6E6v64SjpzYbrWqJGw9FBYpyMJWB7kDG0qmHYq.cs	High entropy of concatenated method names: '_38SrXGO8ftuEMARWR101lQOCIjyjlrMJpAtdu2XTgMCYpUjLPTFf0faDNx2W5H', 'kNdXkKAls71g76CCWnQdphfCs5Mbr3594elgD7V6pm7Mdh9TQwj5cRO7MZubFL', '_7SreYRQoAUYZaegZSxljAzPEzbfaJ1seGdRnZGA59fSoOJWx61dKNvKZmjqjja', 'MHIfz0Ia8PqP5vnlWOvoUGP3f4vXUazr1NOT9wM1UWYlI2zCYL9kHzmfPihrmx', 'KouHVC715kMNPt5HfCcVICP5CyoOY8yuU1gZ9BRptSvBDwiHZPSBQEiW1i6dUf', '_9CEqF9BzI2p5s5YYBUVPWnnzE8x8wy0gcTcU2qlcWfkoH9QLck0ChG1eCMw5d9', '_209aCAJWvjnFl7BWjh1J9iligEBWf4ZxOQlCrHjSzsFKio0JEwQ7UTTZjOj6yO', 'SQna4U4BKsCJjpWQChg8XngLxwjUwMsN8y9D9SL2uOycuUnh0Xumrv5FPX32su', 'Aeci3iwx9Kt8pBA08sDmLCoK4bA4kqeCnnkCIh7BgcyT09qKEGWgEaqobMscug', 'xETPFICgM0aL3df1wQojEnxodtq7BR6UQhsrIJ7HTsKmFfeH0PBE8bOUNm5S6Q'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, keOMzeMbmlluHCZjjLfCZqNwIPA5BFya9rhNK7NgripufyOZD7am0OJVVXnqVp.cs	High entropy of concatenated method names: 'L2OtLWgcyWZ5tBJ3DSWrSwLFCavVjWDooKBOgha6P6KmWFhbCBZ2ibx97GWaOF', 'OyPnF3NQMqT4RnLUE5FfhfSIxLURYA1dplhcwRXuQeVsbmKf1uvMxzxuQiiexV', 'h7xW4sjV4gVVVPKMhFT62r3WipcXAQOMPr7D2aXUsrjDOaAn2yhHI9oQpHrXeg', 'K16t4Tx5eiciP325gHkXlK8n8VXcy8CogaV2itdfCZ2tcQJnMAnigN3OWUYR7pcWBDncAuRKH1q5CVS', 'syzbqkZTj6zIMbCRXVUXul9iVau5Z7HgeFuu2GkJzaezSkrt9w8dN3g0OlJJhMVOUZJ7tZt8bPUMcmF', 'jrSWlesuBWmlIvcWkCnV9EPYCzMuKTBpBpOuT8yTeBPx1eRMJJLPcREDJSMQP6bChUOhcf2Fg05EhQu', 'ntfFWmiXfTilJmBgPG9nqpEExZcsrcbLpWgeJHTBj7RnKU1P0e75phozSah3SULD1vkxgV328LvhvzY', 'QTvkKoCeSg860LOuuDApqZLXUqpicN9r3NSMq6EQ2Gr1OWd6tEs4c2u6Eik8I3BwibAtQ97mFcuSEPj', 'OQgevOvh1IzkJnPIke9ORLNkpIfnYkpiGpk6G5mw365UdOY48UJFJwBDdRbGiWnnesl2V719c2GWKNR', 'FnAVJsB3nqqCxAbU2jDiPwTiJFkvxQH8z8kb3ZksDRPFick19zot0BL9241sl6IeerH2QBIFBjBkch9'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, OGwlqciXr0ElwpPhx2ELvF3kNaKNl.cs	High entropy of concatenated method names: 'HSE1LdbBUlEWfEmQqGIMi8NOMoVKE', 'b0T66TwgdsFDp8EZEffofaWtyiZofgzderQP7qVS0bSagCaeGgxQu9i3qeHA93', 'QWEsyaklucOqbTkeuwTeJRCe56Pz4PFmGyhOSSptICQnaS0YDn0tiPTrgf7G6H', 'o7p0H92GwR8Wk7Q4r3E2CwvvP9j6qfh0XGivTHetuoJQiaz6ueIChHWbsYyWnN', 'zYVsWygyVBXnDL9LoHT6vUaR4TMGuWLPs04xwIKYjtX9VtJGLt3zKVayIU9pVv', 'GP0IwfbnQiKb54klyMG9dvCn3Y8BLwZix6YsiNWaNI380zxVG25hJbXyoCbmCJ', 'f6q3Rd4r1p6nrKJWZOMYcoSysSaSQSbzEJgcyaZVGypm0vPgrgpttAK1htvrIH', 'h2y50w9dLhvbgSpPia76D7m9srvWb0v0cPggh0x8JNPuJ2J6ykwxe8JUy7r5cx', 'EpmY8lrFt35zHm2FcmGtQXWJYE2Unb7aYBstKBxjwsfiJxZCqmnb8qhKpTngLd', 'WJ5skVy9PqlMc4vrcQXkNgGbKQClTAAKc2887ArkTKYeFGgMWQzssikgTPQKAw'

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Analytics.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	File created: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\zh-Hant\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pt-BR\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\cs\is-LVJRV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\et\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\kk\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\kn\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bs\is-UTM10.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\cs\is-D6RI7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-40UMB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-I462P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\gl\is-O7UR3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\el\is-NEUVP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-OARCU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\he\is-BIB27.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bg\is-VHFMO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bg\is-RDQFL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pa\is-QT140.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x86\native\e_sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sv\is-0ERMH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hi\is-OG5MR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ka\is-O57A3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pl\is-5BRIE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sr\is-7NGID.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\vi\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bn\is-1BDJ5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fil\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	File created: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-I8E2V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Local\Temp\is-5AHC5.tmp\is-L16CA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sl\is-C59RA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-313PG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\mk\is-4D6QO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pt-BR\is-0EQ8U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sv\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\vi\is-I9TFR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-N75LE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hy\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-LTL2H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pl\is-05QDT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\System.Net.Http.Formatting.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\da\is-MEI7K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hi\is-5G0PQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-FNJTI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ta\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sk\is-5KF44.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hr\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\th\is-K9T0V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-FK5SN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ar\is-HRLC1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ja\is-HSSNF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.batteries_v2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ja\is-HUT9S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\System.Numerics.Vectors.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ru\is-SBHVJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x86\native\is-TR1B4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\Newtonsoft.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\el\is-2TH83.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ms\is-KFO4O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fa\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\zh-Hans\is-A2DL7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pt\is-MD896.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-GVRFI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fa\is-N68S6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\be\is-OUIRJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ta\is-A4O8R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.provider.dynamic_cdecl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\System.Runtime.CompilerServices.Unsafe.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hu\is-1UC18.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ku\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	File created: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-arm\native\e_sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\Octokit.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hu\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-KQM6J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-2C28F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\cy\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fa\is-ATSDQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\nl\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x64\native\is-546QC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-N7DCN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\DiscordRPC.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\it\is-SMAND.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\mn\is-GJ06U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-8ECJB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x86\native\is-SDGP4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-TJS3F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fi\is-3UC6U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-IOV14.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ml\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-687SV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sl\is-G19UM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QU0ES.tmp\is-PMCAU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\vi\is-JDVP8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ko\is-3MKMH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pl\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-JAUIP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ur\is-G731T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\id\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\et\is-6NKQM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hi\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sl\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\th\is-B2KEE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sk\is-NHIH0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\id\is-VO99H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\System.Memory.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\az\is-SPCCG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ms\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ar\is-674TO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ca\is-G3P15.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-arm\native\is-L6FKM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ta\is-AVES5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\zh-Hant\is-TCS3P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\mn\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ku\is-54C0C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\kn\is-Q0K47.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ar\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\de-CH\is-PS652.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\gl\is-ROPLV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	File created: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ro\is-H3RRR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fr\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-F4MFV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\it\is-AVJLC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\zh-Hant\is-LHI5A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	File created: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sv\is-53H19.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\tr\is-IOVKP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hy\is-OHUPK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fil\is-UD0CQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-9AGJI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\nl\is-T6AQ0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\he\is-85D8B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\no\is-M254A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bn\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pa\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sr\is-UK4IF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\System.Threading.Tasks.Extensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pt\is-IFBSR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-8B8DA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hr\is-QSFJ0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\he\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ca\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is\is-G0GP4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fi\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\uk\is-DVKQR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\da\is-L9EDS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-9VO3N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fr\is-CJ2KI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-90JQC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QU0ES.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\HtmlRenderer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\uk\is-VIB03.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\my\is-2UT95.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\kk\is-BEN2D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ja\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-7ECM7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-60I9P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\zh-Hans\is-5VLN4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user~1\AppData\Local\Temp\is-5AHC5.tmp\ndp48-web.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pa\is-DAB1M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\id\is-JVR9Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-840Q4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\mn\is-S5EU4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\es\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ko\is-QDV0A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\lv\is-9GBNE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-VUD2Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\Newtonsoft.Json.Bson.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pt-BR\is-2A1S4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\da\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ca\is-RKKJG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\nl\is-AGJMF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\no\is-AJQMV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-QQTGA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\mk\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\th\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	File created: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hr\is-EFPSN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\tr\is-51KP4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-OD2S7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\System.Buffers.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ml\is-NJ72O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-2C6IM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bs\is-6KALE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ur\is-COL0K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fi\is-JNLAH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ro\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ru\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\cy\is-39CN3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-PN1CV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pt\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	File created: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\cy\is-QS138.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fr\is-VSURF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\lt\is-7TEOR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-CMKDC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sk\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\lv\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Crashes.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ka\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ka\is-BTTKK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\de\is-ONH2C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	File created: C:\Users\user\server.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-H1ITL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-0375B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x64\native\is-HGKHC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hy\is-9K8L2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\tr\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bs\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\gl\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hu\is-T48C7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ro\is-SGDGS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\az\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-JHC4U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\zh-Hans\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\es\is-JBG7J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is\is-9VBA1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\no\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-TI8RB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-FEUPA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\CommonMark.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\cs\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\HtmlRenderer.WinForms.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bg\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\el\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ur\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\it\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-550CF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\kn\is-PHNVH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ku\is-0AQNH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\lv\is-943IK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-QH208.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\be\is-CQSTG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\et\is-1TNPU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\be\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\de-CH\is-3GQDR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ml\is-H8GME.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\my\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-FETK3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\lt\is-558BR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\de\is-Q34JK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\my\is-DB878.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x64\native\e_sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Local\Temp\is-5AHC5.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ko\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\mk\is-B6G5I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bn\is-HPMA5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	File created: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-1NIJ8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-1OIC0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\de-CH\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\es\is-65RVL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\de\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\uk\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-arm\native\is-JNFCM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sr\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\lt\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fil\is-PN2OA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user~1\AppData\Local\Temp\is-QU0ES.tmp\ndp48-web.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ru\is-GL4HQ.tmp	Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe

File created: C:\Users\user\server.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe

File created: C:\Users\user\server.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Local_wGRdnhmmy" /tr "C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe"

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CustomRP.lnk

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CustomRP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CustomRP\CustomRP.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CustomRP\Uninstall CustomRP.lnk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CustomRP.lnk
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CustomRP\CustomRP.lnk
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CustomRP\Uninstall CustomRP.lnk

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Local_wGRdnhmmy			Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Local_wGRdnhmmy			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	File opened: \Device\RasAcd count: 74580			Jump to behavior
Source: C:\Users\user\server.exe	File opened: \Device\RasAcd count: 33218

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Local_wGRdnhmmy.exe, 00000008.00000002.3771976186.00000000025E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: LocalylmNBbjoFA.exe, 00000004.00000002.1293177261.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Local_wGRdnhmmy.exe, 00000008.00000000.1281627960.00000000003C2000.00000002.00000001.01000000.00000008.sdmp, LisectAVT_2403002A_473.exe	Binary or memory string: SBIEDLL.DLL_W5EH52Q5QTMQAPKL8LWNHVVSTNDVSYLRP6LQYKBXU5EQBRQ_PZJTIAI5UMOHUV4Y1YUY7548O2SOGTIJRVHLUCSMY3DC3KM_RGHR88E1AIVLNLNRBDJFPRXVOC6L77WSHJP7UGB1XI4VP8Z_HUUXALKYV8NG3SRKQM7LRIF2FZ1ZWFTRRJPJJXL8LJGG9EM_UNVTYP7EKIMLWEBYRMSRZVF8HRBKCLVNXU5GCKQ7MJYM22M_VTL3DAXV14GEBGFECNRPV41XSEJUXSGCXC4VPK30SBJTEIG_RMK7YTADMJ9PMNNOOZEZUA3Q4DEM92BNDRZ6T2TNNLA5FUW_LW5C8JRAX2TSJ9L3CMQWTW7NJE2YN0ZIQQD3P5JDUYXMMUL_GBVIJDAHNK0TUEYPEC5KLSNDMYFJ17UAT3VVA3MIQ6CASYH_ZO1NOBSGC31IGZVOWOKYQNIBSEU3SSOKPO1KZASJ4KZGSPX_06ZDZTLTPZRJKPHUAG87E257WGE27BIPCHMUK8G1GPRTZST_PG4HXUXEXVRT0WXYYHW048H41PHO1KS9RTVE37PHFE1T2UZINFO

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Memory allocated: F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Memory allocated: 2E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Memory allocated: 1AE00000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Memory allocated: E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Memory allocated: 2C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Memory allocated: 4C10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Memory allocated: 1090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Memory allocated: 1AEE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Memory allocated: A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Memory allocated: 1A5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 1130000 memory reserve \| memory write watch
Source: C:\Users\user\server.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch
Source: C:\Users\user\server.exe	Memory allocated: 4EA0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 10C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 1AD10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 2A50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 1AD00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 1AB20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 16B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 4EB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 3010000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 3110000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 3010000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 1A1E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 1900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 3300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 3250000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 1AAD0000 memory reserve \| memory write watch

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe

Code function: 26_2_09AC7850 sldt word ptr [eax]

26_2_09AC7850

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Window / User API: threadDelayed 1089	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Window / User API: threadDelayed 3094	Jump to behavior
Source: C:\Users\user\server.exe	Window / User API: threadDelayed 3292
Source: C:\Users\user\server.exe	Window / User API: foregroundWindowGot 1570
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Window / User API: threadDelayed 5657
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Window / User API: threadDelayed 4034
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Window / User API: threadDelayed 9282

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Analytics.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\zh-Hant\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pt-BR\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\cs\is-LVJRV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\et\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\kk\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\kn\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bs\is-UTM10.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-40UMB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\cs\is-D6RI7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\gl\is-O7UR3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\el\is-NEUVP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-OARCU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\he\is-BIB27.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bg\is-VHFMO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bg\is-RDQFL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pa\is-QT140.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x86\native\e_sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sv\is-0ERMH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ka\is-O57A3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hi\is-OG5MR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pl\is-5BRIE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sr\is-7NGID.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\vi\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fil\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bn\is-1BDJ5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-I8E2V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5AHC5.tmp\is-L16CA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sl\is-C59RA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\mk\is-4D6QO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-313PG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pt-BR\is-0EQ8U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sv\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\vi\is-I9TFR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hy\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-N75LE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-LTL2H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pl\is-05QDT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\System.Net.Http.Formatting.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\da\is-MEI7K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hi\is-5G0PQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-FNJTI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ta\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sk\is-5KF44.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hr\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\th\is-K9T0V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-FK5SN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ar\is-HRLC1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ja\is-HSSNF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.batteries_v2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\System.Numerics.Vectors.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ja\is-HUT9S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x86\native\is-TR1B4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ru\is-SBHVJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\Newtonsoft.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ms\is-KFO4O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\el\is-2TH83.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\zh-Hans\is-A2DL7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fa\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pt\is-MD896.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-GVRFI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fa\is-N68S6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\be\is-OUIRJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ta\is-A4O8R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.provider.dynamic_cdecl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\System.Runtime.CompilerServices.Unsafe.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hu\is-1UC18.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ku\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-arm\native\e_sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\Octokit.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hu\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-KQM6J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-2C28F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\cy\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fa\is-ATSDQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x64\native\is-546QC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\nl\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-N7DCN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\DiscordRPC.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\it\is-SMAND.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-8ECJB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\mn\is-GJ06U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x86\native\is-SDGP4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fi\is-3UC6U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-IOV14.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-687SV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ml\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sl\is-G19UM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QU0ES.tmp\is-PMCAU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\vi\is-JDVP8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ko\is-3MKMH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pl\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-JAUIP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ur\is-G731T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\id\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hi\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\et\is-6NKQM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sl\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\th\is-B2KEE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sk\is-NHIH0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\id\is-VO99H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\System.Memory.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\az\is-SPCCG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ms\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ar\is-674TO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ta\is-AVES5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ca\is-G3P15.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-arm\native\is-L6FKM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\zh-Hant\is-TCS3P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\mn\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ku\is-54C0C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\kn\is-Q0K47.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ar\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\gl\is-ROPLV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\de-CH\is-PS652.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ro\is-H3RRR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-F4MFV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fr\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\it\is-AVJLC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\zh-Hant\is-LHI5A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sv\is-53H19.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\tr\is-IOVKP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hy\is-OHUPK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fil\is-UD0CQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-9AGJI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\nl\is-T6AQ0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\he\is-85D8B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\no\is-M254A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bn\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pa\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sr\is-UK4IF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\System.Threading.Tasks.Extensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pt\is-IFBSR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-8B8DA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hr\is-QSFJ0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\he\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ca\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fi\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is\is-G0GP4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\uk\is-DVKQR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\da\is-L9EDS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-9VO3N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fr\is-CJ2KI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-90JQC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QU0ES.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\HtmlRenderer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\uk\is-VIB03.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\my\is-2UT95.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\kk\is-BEN2D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ja\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-7ECM7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-60I9P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\zh-Hans\is-5VLN4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-5AHC5.tmp\ndp48-web.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pa\is-DAB1M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\id\is-JVR9Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-840Q4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\mn\is-S5EU4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\es\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ko\is-QDV0A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\lv\is-9GBNE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\Newtonsoft.Json.Bson.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-VUD2Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pt-BR\is-2A1S4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\da\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ca\is-RKKJG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\nl\is-AGJMF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\no\is-AJQMV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-QQTGA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\mk\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\th\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hr\is-EFPSN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\tr\is-51KP4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-OD2S7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\System.Buffers.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ml\is-NJ72O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bs\is-6KALE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-2C6IM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ur\is-COL0K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fi\is-JNLAH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ro\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ru\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\cy\is-39CN3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-PN1CV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pt\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\cy\is-QS138.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\lt\is-7TEOR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fr\is-VSURF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-CMKDC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sk\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\lv\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Crashes.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ka\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ka\is-BTTKK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\de\is-ONH2C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-H1ITL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-0375B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x64\native\is-HGKHC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hy\is-9K8L2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\tr\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bs\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\gl\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hu\is-T48C7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ro\is-SGDGS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\az\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-JHC4U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\zh-Hans\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\es\is-JBG7J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is\is-9VBA1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\no\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-TI8RB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-FEUPA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\CommonMark.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\cs\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\HtmlRenderer.WinForms.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bg\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\el\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ur\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\it\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\kn\is-PHNVH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-550CF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ku\is-0AQNH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-QH208.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\lv\is-943IK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\be\is-CQSTG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\et\is-1TNPU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\be\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\de-CH\is-3GQDR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ml\is-H8GME.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\my\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-FETK3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\lt\is-558BR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\de\is-Q34JK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\my\is-DB878.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x64\native\e_sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5AHC5.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\mk\is-B6G5I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ko\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bn\is-HPMA5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-1NIJ8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-1OIC0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\de-CH\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\es\is-65RVL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\de\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\uk\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-arm\native\is-JNFCM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sr\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\lt\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fil\is-PN2OA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ru\is-GL4HQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-QU0ES.tmp\ndp48-web.exe (copy)	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	API coverage: 2.5 %
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	API coverage: 6.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe TID: 2692	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe TID: 2132	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe TID: 5092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe TID: 7428	Thread sleep count: 1089 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe TID: 7428	Thread sleep time: -1089000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe TID: 7428	Thread sleep count: 3094 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe TID: 7428	Thread sleep time: -3094000s >= -30000s	Jump to behavior
Source: C:\Users\user\server.exe TID: 7320	Thread sleep count: 272 > 30
Source: C:\Users\user\server.exe TID: 7320	Thread sleep time: -272000s >= -30000s
Source: C:\Users\user\server.exe TID: 7476	Thread sleep count: 186 > 30
Source: C:\Users\user\server.exe TID: 7476	Thread sleep time: -372000s >= -30000s
Source: C:\Users\user\server.exe TID: 7480	Thread sleep count: 3292 > 30
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe TID: 7652	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe TID: 7712	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe TID: 7804	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 6604	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -99828s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -99717s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -99608s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -99499s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -99334s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -98891s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -98750s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -98640s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -98515s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -98390s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -98278s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -98171s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -98062s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -97953s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -97830s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -97719s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -97594s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -97484s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -97375s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -97262s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -97150s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -96578s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -96407s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -96277s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -96170s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -96058s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -95952s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 1568	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe TID: 8176	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 5880	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -95397s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -95209s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -94882s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -94661s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -94543s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -94437s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -94327s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -94216s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -94093s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93984s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93874s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93735s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93594s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93468s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93359s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93250s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93138s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93031s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -92914s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -92793s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -92663s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -92512s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -92363s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -92234s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -92123s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -92015s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -91906s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -91794s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -91686s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -91576s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -91470s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -91345s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -91220s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -91095s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -90954s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -90829s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -90704s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -90579s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -90454s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -90329s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -90204s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -90072s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -89954s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -89829s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -89704s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -89579s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -89454s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -89329s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -89191s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -89064s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88932s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88821s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88696s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88592s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88484s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88373s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88262s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88156s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88048s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -87923s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -87798s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -87673s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -87548s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -87423s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -87298s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -87173s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -87033s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -86908s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -86783s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -86658s >= -30000s
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe TID: 760	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe

Code function: 26_2_6A891730 sqlite3_os_init,sqlite3_thread_cleanup,GetSystemInfo,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_thread_cleanup,

26_2_6A891730

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 99828
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 99717
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 99608
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 99499
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 99334
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 98891
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 98750
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 98640
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 98515
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 98390
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 98278
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 98171
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 98062
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 97953
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 97830
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 97719
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 97594
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 97484
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 97375
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 97262
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 97150
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 96578
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 96407
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 96277
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 96170
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 96058
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 95952
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 95397
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 95209
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 94882
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 94661
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 94543
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 94437
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 94327
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 94216
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 94093
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93984
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93874
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93735
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93594
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93468
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93359
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93250
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93138
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93031
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 92914
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 92793
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 92663
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 92512
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 92363
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 92234
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 92123
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 92015
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 91906
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 91794
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 91686
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 91576
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 91470
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 91345
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 91220
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 91095
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 90954
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 90829
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 90704
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 90579
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 90454
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 90329
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 90204
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 90072
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 89954
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 89829
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 89704
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 89579
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 89454
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 89329
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 89191
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 89064
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88932
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88821
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88696
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88592
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88484
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88373
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88262
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88156
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88048
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 87923
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 87798
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 87673
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 87548
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 87423
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 87298
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 87173
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 87033
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 86908
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 86783
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 86658
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477

Source: Local_wGRdnhmmy.exe, 00000008.00000002.3785650029.000000001B4B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: LocalM_d_cKXRrV.exe, 00000003.00000002.1334949588.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: LisectAVT_2403002A_473.exe	Binary or memory string: vmware
Source: CustomRP.1.17.26.tmp, 00000027.00000003.2207639440.00000000009E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: server.exe, 00000010.00000002.3763187381.0000000000F24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Local_wGRdnhmmy.exe, 00000008.00000002.3785650029.000000001B4B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllonfi
Source: server.exe, 00000010.00000002.3763187381.0000000000F24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrkflowservices, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL"/>
Source: explorer.exe, 0000001F.00000003.2385814386.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}V
Source: LocalM_d_cKXRrV.exe, 00000003.00000002.1334949588.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>B
Source: CustomRP.exe, 0000001A.00000002.1950110963.0000000001185000.00000004.00000020.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3759680781.00000000014B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 0000001F.00000003.2385814386.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: netsh.exe, 00000013.00000003.1401962998.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe

Code function: 8_2_00007FFAA9E67180 CheckRemoteDebuggerPresent,

8_2_00007FFAA9E67180

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe

Code function: 26_2_6A8B0C8A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

26_2_6A8B0C8A

Enables debug privileges

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\server.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8B0C8A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_6A8B0C8A
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8AA228 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_6A8AA228
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8AB3A0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_6A8AB3A0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A570C8A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_6A570C8A
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A56A228 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_6A56A228
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A56B3A0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_6A56B3A0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: LocalM_d_cKXRrV.exe.0.dr, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: LocalM_d_cKXRrV.exe.0.dr, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: LocalM_d_cKXRrV.exe.0.dr, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory written: PID: 3088 base: 190000 value: 00
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory written: PID: 3088 base: 2042D8 value: 00
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory written: PID: 3088 base: 2051E8 value: 00

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process created: C:\Users\user\AppData\LocalM_d_cKXRrV.exe "C:\Users\user\AppData\LocalM_d_cKXRrV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process created: C:\Users\user\AppData\LocalylmNBbjoFA.exe "C:\Users\user\AppData\LocalylmNBbjoFA.exe"	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process created: C:\Users\user\server.exe "C:\Users\user\server.exe"	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process created: C:\Users\user\AppData\Local_wGRdnhmmy.exe "C:\Users\user\AppData\Local_wGRdnhmmy.exe"	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process created: C:\Users\user\AppData\LocalwCRkvqzBqW.exe "C:\Users\user\AppData\LocalwCRkvqzBqW.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Local_wGRdnhmmy" /tr "C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" https://docs.customrp.xyz/setting-up
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process created: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe "C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe"

Source: server.exe, 00000010.00000002.3774758497.0000000003407000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000010.00000002.3774758497.000000000304B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000010.00000002.3774758497.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: server.exe, 00000010.00000002.3774758497.0000000003407000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000010.00000002.3774758497.000000000304B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000010.00000002.3774758497.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe

Code function: 26_2_6A8AAAA1 cpuid

26_2_6A8AAAA1

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Queries volume information: C:\Users\user\AppData\Local_wGRdnhmmy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Crashes.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Analytics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.batteries_v2.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.core.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.provider.dynamic_cdecl.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\System.Memory.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.RuntimeInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.RuntimeInformation.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\System.Runtime.CompilerServices.Unsafe.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\DiscordRPC.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Octokit.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\CommonMark.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\HtmlRenderer.WinForms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\HtmlRenderer.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Crashes.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Analytics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\CommonMark.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\System.Threading.Tasks.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Octokit.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\uk\CustomRP.resources.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Crashes.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Analytics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.batteries_v2.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.core.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.provider.dynamic_cdecl.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\System.Memory.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.RuntimeInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.RuntimeInformation.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\System.Runtime.CompilerServices.Unsafe.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\DiscordRPC.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Octokit.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\CommonMark.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe VolumeInformation

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe

Code function: 26_2_6A8AAFE3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

26_2_6A8AAFE3

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: LisectAVT_2403002A_473.exe, type: SAMPLE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3774758497.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_473.exe PID: 5604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LocalM_d_cKXRrV.exe PID: 4932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\server.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: LisectAVT_2403002A_473.exe, type: SAMPLE
Source: Yara match	File source: 8.0.Local_wGRdnhmmy.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LocalylmNBbjoFA.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f220f.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.1281627960.00000000003C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1293177261.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3771976186.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1266635863.0000000000215000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1281399824.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1256648440.0000000000206000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LocalylmNBbjoFA.exe PID: 6520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Local_wGRdnhmmy.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local_wGRdnhmmy.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\LocalylmNBbjoFA.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: LisectAVT_2403002A_473.exe, type: SAMPLE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3774758497.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_473.exe PID: 5604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LocalM_d_cKXRrV.exe PID: 4932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\server.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: LisectAVT_2403002A_473.exe, type: SAMPLE
Source: Yara match	File source: 8.0.Local_wGRdnhmmy.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LocalylmNBbjoFA.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f220f.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.1281627960.00000000003C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1293177261.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3771976186.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1266635863.0000000000215000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1281399824.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1256648440.0000000000206000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LocalylmNBbjoFA.exe PID: 6520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Local_wGRdnhmmy.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local_wGRdnhmmy.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\LocalylmNBbjoFA.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7FDA30 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_value_blob,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_initialize,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_initialize,sqlite3_free,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_bind_int64,sqlite3_thread_cleanup,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7FDA30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A859A00 sqlite3_value_int64,sqlite3_bind_value,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A859A00
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7FCAE0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	26_2_6A7FCAE0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7FBAD0 sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7FBAD0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A801A30 sqlite3_mprintf,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	26_2_6A801A30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7BAA90 sqlite3_value_int64,sqlite3_value_int64,sqlite3_value_int,sqlite3_initialize,sqlite3_free,sqlite3_blob_close,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	26_2_6A7BAA90
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A824B80 sqlite3_bind_int64,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,	26_2_6A824B80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A859BA0 sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A859BA0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A832B40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_free,sqlite3_free,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A832B40
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F8870 sqlite3_bind_int64,sqlite3_step,sqlite3_initialize,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_free,	26_2_6A7F8870
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7EB880 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	26_2_6A7EB880
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F0910 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_value_blob,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7F0910
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7CA9E0 sqlite3_transfer_bindings,	26_2_6A7CA9E0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A816970 sqlite3_mprintf,sqlite3_free,sqlite3_bind_int64,sqlite3_thread_cleanup,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,	26_2_6A816970
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7C8E60 sqlite3_bind_blob,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7C8E60
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A859EA0 sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_value_blob,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A859EA0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7CAE30 sqlite3_value_frombind,	26_2_6A7CAE30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F2E20 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7F2E20
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A812EF0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,	26_2_6A812EF0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A852E40 sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A852E40
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A816F80 sqlite3_mprintf,sqlite3_free,sqlite3_free,sqlite3_bind_int64,	26_2_6A816F80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7EBF50 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7EBF50
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F0F50 sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_value_blob,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7F0F50
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7C8F10 sqlite3_bind_blob64,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7C8F10
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7C8FC0 sqlite3_bind_double,sqlite3_thread_cleanup,	26_2_6A7C8FC0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A801F60 sqlite3_mprintf,sqlite3_free,sqlite3_bind_int64,sqlite3_thread_cleanup,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,	26_2_6A801F60
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A814F60 sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_free,sqlite3_bind_int64,sqlite3_thread_cleanup,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,sqlite3_free,sqlite3_free,sqlite3_free,	26_2_6A814F60
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A853CB0 sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A853CB0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A816CF0 sqlite3_thread_cleanup,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,	26_2_6A816CF0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7EBD10 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7EBD10
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A831D60 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	26_2_6A831D60
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7C9230 sqlite3_bind_text16,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7C9230
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F1230 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,	26_2_6A7F1230
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7BD200 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	26_2_6A7BD200
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F52C0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_mprintf,sqlite3_free,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7F52C0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A82D260 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	26_2_6A82D260
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7C9360 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,sqlite3_bind_blob,sqlite3_thread_cleanup,	26_2_6A7C9360
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7C9310 sqlite3_bind_text64,	26_2_6A7C9310
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7FF390 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_free,sqlite3_bind_text,sqlite3_thread_cleanup,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,	26_2_6A7FF390

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.18.41.89	api.gitbook.com	United States	13335	CLOUDFLARENETUS	false
140.82.121.4	github.com	United States	36459	GITHUBUS	false
140.82.121.5	api.github.com	United States	36459	GITHUBUS	false
185.199.111.133	objects.githubusercontent.com	Netherlands	54113	FASTLYUS	false
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
172.64.146.167	app.gitbook.com	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.181.228	www.google.com	United States	15169	GOOGLEUS	false
172.64.147.209	3448418481-files.gitbook.io	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.7

Contacted Domains

Name	IP	Active
3448418481-files.gitbook.io	172.64.147.209	true
github.com	140.82.121.4	true
api.github.com	140.82.121.5	true
d2bc804067-hosting.gitbook.io	172.64.147.209	true
ip-api.com	208.95.112.1	true
www.google.com	142.250.181.228	true
app.gitbook.com	172.64.146.167	true
objects.githubusercontent.com	185.199.111.133	true
api.gitbook.com	104.18.41.89	true
in.appcenter.ms	unknown	unknown
docs.customrp.xyz	unknown	unknown
h2cker.ddns.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.github.com/repositories/158286982/releases?page=2	false
https://api.github.com/repositories/158286982/releases?page=3	false
https://api.github.com/repositories/158286982/releases?page=4	false
https://docs.customrp.xyz/_next/static/chunks/9297-f3eccea4ea14abf3.js	false
https://api.github.com/repos/maximmax42/Discord-CustomRP/releases	false
https://docs.customrp.xyz/_next/static/chunks/app/(space)/(content)/%5B%5B...pathname%5D%5D/page-ec571d2756d4b9b5.js	false
https://3448418481-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/collections%2Fb7ivX6BQQxRccY1orTyN%2Ficon%2FnkaA7BNDEwNuDrY1Bu5Z%2Flogo.png?alt=media&token=8a0a99e6-b7f7-4e7b-9a7d-ec4200fc5dbe	false
https://docs.customrp.xyz/_next/static/chunks/1dd3208c-be983e9332503385.js	false
https://docs.customrp.xyz/_next/static/chunks/app/global-error-fb32fca0ade143dc.js	false
https://docs.customrp.xyz/_next/static/chunks/132-510ddc716fcc679e.js	false
https://docs.customrp.xyz/_next/static/css/9788c0e64943a60e.css	false
https://docs.customrp.xyz/~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050202-c796103d-6712-401e-be96-3f3712512375.png&width=768&dpr=4&quality=100&sign=1d31e0c1&sv=1	false
https://docs.customrp.xyz/setting-up	false
https://app.gitbook.com/__session?proposed=c7fb3030-4991-43e6-a825-1b67f742be0cR	false
https://docs.customrp.xyz/_next/static/media/c9a5bc6a7c948fb0-s.woff2	false
https://docs.customrp.xyz/_next/static/chunks/5810-30abd17002efe9e2.js	false

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_473.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Avira: detection malicious, Label: BDS/Bladabindi.ajoqj
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Avira: detection malicious, Label: HEUR/AGEN.1305769

Found malware configuration

Source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Njrat {"Host": "server.exe", "Port": "h2cker.ddns.net", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "UserProfile", "Install Dir": "xdefg"}
Source: 00000004.00000002.1293177261.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["h2cker.ddns.net"], "Port": "0194", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara detected Njrat

Source: Yara match	File source: LisectAVT_2403002A_473.exe, type: SAMPLE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3774758497.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_473.exe PID: 5604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LocalM_d_cKXRrV.exe PID: 4932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\server.exe, type: DROPPED

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LisectAVT_2403002A_473.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack	String decryptor: h2cker.ddns.net
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack	String decryptor: 0194
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack	String decryptor: <123456789>
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack	String decryptor: <Xwormmm>
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack	String decryptor: USB.exe

Uses 32bit PE files

Source: LisectAVT_2403002A_473.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright (c) 2020-2024 maximmax42Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.---Upon the first launch of the app you will be asked permission to send analytics data to the developer. You can still use the app without any restriction if you don't consent.CustomRP collects this non-personal information during the usage of the app:- OS Version- OS Language- Device Model (laptop or motherboard)- Country based on OS settings (does not use geolocation)- App VersionAs well as these user interactions:- Connection status to Discord- Connection errors (wrong ID etc)- Connection failure (Discord isn't running etc)- Updated presence: - Does it have party? - What timestamp type is used? - Does it have a big image set? - Does it have a small image set? - How many buttons are set?- New version was ignored: - Which version?- Saved a preset- Loaded a preset- Clicked on a supporter/translator menu item: - Name of the supporter/translator - URL of the supporter/translator- Opened "Pipe select" window- Opened "About" windowCrash reports send your settings (except ID) to help understand the cause of the crash.This information is collected to understand how the application is used improve features and catch unexpected crashes as soon as they appear. The information is stored in the Microsoft App Center for 28 days and is not shared with any third parties.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright (c) 2020-2024 maximmax42Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.---Upon the first launch of the app you will be asked permission to send analytics data to the developer. You can still use the app without any restriction if you don't consent.CustomRP collects this non-personal information during the usage of the app:- OS Version- OS Language- Device Model (laptop or motherboard)- Country based on OS settings (does not use geolocation)- App VersionAs well as these user interactions:- Connection status to Discord- Connection errors (wrong ID etc)- Connection failure (Discord isn't running etc)- Updated presence: - Does it have party? - What timestamp type is used? - Does it have a big image set? - Does it have a small image set? - How many buttons are set?- New version was ignored: - Which version?- Saved a preset- Loaded a preset- Clicked on a supporter/translator menu item: - Name of the supporter/translator - URL of the supporter/translator- Opened "Pipe select" window- Opened "About" windowCrash reports send your settings (except ID) to help understand the cause of the crash.This information is collected to understand how the application is used improve features and catch unexpected crashes as soon as they appear. The information is stored in the Microsoft App Center for 28 days and is not shared with any third parties.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright (c) 2020-2024 maximmax42Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.---Upon the first launch of the app you will be asked permission to send analytics data to the developer. You can still use the app without any restriction if you don't consent.CustomRP collects this non-personal information during the usage of the app:- OS Version- OS Language- Device Model (laptop or motherboard)- Country based on OS settings (does not use geolocation)- App VersionAs well as these user interactions:- Connection status to Discord- Connection errors (wrong ID etc)- Connection failure (Discord isn't running etc)- Updated presence: - Does it have party? - What timestamp type is used? - Does it have a big image set? - Does it have a small image set? - How many buttons are set?- New version was ignored: - Which version?- Saved a preset- Loaded a preset- Clicked on a supporter/translator menu item: - Name of the supporter/translator - URL of the supporter/translator- Opened "Pipe select" window- Opened "About" windowCrash reports send your settings (except ID) to help understand the cause of the crash.This information is collected to understand how the application is used improve features and catch unexpected crashes as soon as they appear. The information is stored in the Microsoft App Center for 28 days and is not shared with any third parties.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright (c) 2020-2024 maximmax42Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.---Upon the first launch of the app you will be asked permission to send analytics data to the developer. You can still use the app without any restriction if you don't consent.CustomRP collects this non-personal information during the usage of the app:- OS Version- OS Language- Device Model (laptop or motherboard)- Country based on OS settings (does not use geolocation)- App VersionAs well as these user interactions:- Connection status to Discord- Connection errors (wrong ID etc)- Connection failure (Discord isn't running etc)- Updated presence: - Does it have party? - What timestamp type is used? - Does it have a big image set? - Does it have a small image set? - How many buttons are set?- New version was ignored: - Which version?- Saved a preset- Loaded a preset- Clicked on a supporter/translator menu item: - Name of the supporter/translator - URL of the supporter/translator- Opened "Pipe select" window- Opened "About" windowCrash reports send your settings (except ID) to help understand the cause of the crash.This information is collected to understand how the application is used improve features and catch unexpected crashes as soon as they appear. The information is stored in the Microsoft App Center for 28 days and is not shared with any third parties.I &accept the agreementI &do not accept the agreement&NextCancel

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B1949CF-3AC6-43B8-95BF-5517797E2CEA}_is1

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.5:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.7:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.7:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.5:443 -> 192.168.2.7:49808 version: TLS 1.2

Source: LisectAVT_2403002A_473.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Microsoft.AppCenter.Crashes.WindowsDesktop\Release\net472\Microsoft.AppCenter.Crashes.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 00000023.00000002.1870099006.00000000055F2000.00000002.00000001.01000000.00000012.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\customrp\CustomRPC\obj\Release\CustomRP.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: is-L16CA.tmp.39.dr
Source:	Binary string: c:\Users\Sentinel\Desktop\HTMLRenderer\HTML-Renderer\Source\HtmlRenderer.WinForms\obj\Release\HtmlRenderer.WinForms.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2038683267.000000000CE22000.00000002.00000001.01000000.00000024.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.1999866525.00000000060A2000.00000002.00000001.01000000.00000017.sdmp, is-FETK3.tmp.39.dr
Source:	Binary string: c:\Users\Sentinel\Desktop\HTMLRenderer\HTML-Renderer\Source\HtmlRenderer\obj\Release\HtmlRenderer.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2039306519.000000000CE92000.00000002.00000001.01000000.00000025.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-8ECJB.tmp.39.dr
Source:	Binary string: /_/Src/Newtonsoft.Json.Bson/obj/Release/net45/Newtonsoft.Json.Bson.pdbSHA256Z source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2002226777.00000000063B2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256I source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1999866525.00000000060A2000.00000002.00000001.01000000.00000017.sdmp, is-FETK3.tmp.39.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.1999487049.0000000005A42000.00000002.00000001.01000000.00000016.sdmp, is-90JQC.tmp.14.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2000036377.00000000060C2000.00000002.00000001.01000000.00000015.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2001708037.0000000006342000.00000002.00000001.01000000.00000018.sdmp, is-7ECM7.tmp.39.dr, is-CMKDC.tmp.14.dr
Source:	Binary string: D:\a\cb\cb\cb\bld\bin\e_sqlite3\win\v142\plain\x86\e_sqlite3.pdb source: CustomRP.exe, 0000001A.00000002.2046982098.000000006A8BA000.00000002.00000001.01000000.0000001A.sdmp, CustomRP.exe, 0000002A.00000002.3865639119.000000006A58B000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\Projects\Visual Studio\discord-rpc-csharp\DiscordRPC\obj\Release\net45\DiscordRPC.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2008788803.0000000009AC2000.00000002.00000001.01000000.0000001C.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Octokit.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2011935141.0000000009C32000.00000002.00000001.01000000.0000001D.sdmp, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\_work\1\Tooling\obj\Release\System.Net.Http.Formatting\System.Net.Http.Formatting.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, is-OARCU.tmp.14.dr
Source:	Binary string: c:\Users\Sentinel\Desktop\HTMLRenderer\HTML-Renderer\Source\HtmlRenderer.WinForms\obj\Release\HtmlRenderer.WinForms.pdb, source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2038683267.000000000CE22000.00000002.00000001.01000000.00000024.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json.Bson/obj/Release/net45/Newtonsoft.Json.Bson.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdbSHA256R source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1999487049.0000000005A42000.00000002.00000001.01000000.00000016.sdmp, is-90JQC.tmp.14.dr
Source:	Binary string: E:\OneDrive\Programming\CommonMark\CommonMark\obj\v4.5\Release\CommonMark.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.0000000005700000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2033794203.000000000BEF2000.00000002.00000001.01000000.00000023.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.0000000005824000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Microsoft.AppCenter.WindowsDesktop\Release\net472\Microsoft.AppCenter.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 00000023.00000002.1872050699.0000000005A02000.00000002.00000001.01000000.00000013.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\Visual Studio\discord-rpc-csharp\DiscordRPC\obj\Release\net45\DiscordRPC.pdbSHA256^ source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2008788803.0000000009AC2000.00000002.00000001.01000000.0000001C.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2001708037.0000000006342000.00000002.00000001.01000000.00000018.sdmp, is-7ECM7.tmp.39.dr, is-CMKDC.tmp.14.dr
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, is-LTL2H.tmp.14.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Microsoft.AppCenter.Analytics.WindowsDesktop\Release\net472\Microsoft.AppCenter.Analytics.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 00000023.00000002.1870476118.0000000005662000.00000002.00000001.01000000.00000014.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-313PG.tmp.14.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Numerics.Vectors/net46\System.Numerics.Vectors.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Microsoft.AppCenter.Analytics.WindowsDesktop\Release\net472\Microsoft.AppCenter.Analytics.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 00000023.00000002.1870476118.0000000005662000.00000002.00000001.01000000.00000014.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-313PG.tmp.14.dr
Source:	Binary string: Octokit.pdb source: CustomRP.exe, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2000036377.00000000060C2000.00000002.00000001.01000000.00000015.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Microsoft.AppCenter.Crashes.WindowsDesktop\Release\net472\Microsoft.AppCenter.Crashes.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 00000023.00000002.1870099006.00000000055F2000.00000002.00000001.01000000.00000012.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: -C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: is-L16CA.tmp.39.dr
Source:	Binary string: C:\projects\customrp\CustomRPC\obj\Release\CustomRP.pdb< source: CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Microsoft.AppCenter.WindowsDesktop\Release\net472\Microsoft.AppCenter.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 00000023.00000002.1872050699.0000000005A02000.00000002.00000001.01000000.00000013.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp

May infect USB drives

Source: LisectAVT_2403002A_473.exe, 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: LisectAVT_2403002A_473.exe, 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: LisectAVT_2403002A_473.exe, 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: LisectAVT_2403002A_473.exe, 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: LocalM_d_cKXRrV.exe, 00000003.00000002.1338451388.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: LocalM_d_cKXRrV.exe, 00000003.00000002.1338451388.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: LocalM_d_cKXRrV.exe, 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: autorun.inf
Source: LocalM_d_cKXRrV.exe, 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: [autorun]
Source: server.exe, 00000010.00000002.3774758497.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: server.exe, 00000010.00000002.3774758497.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: LisectAVT_2403002A_473.exe	Binary or memory string: autorun.inf
Source: LisectAVT_2403002A_473.exe	Binary or memory string: [autorun]

Source: chrome.exe

Memory has grown: Private usage: 0MB later: 38MB

Networking

Yara detected MSILDownloaderGeneric

Source: Yara match

File source: Process Memory Space: CustomRP.exe PID: 8140, type: MEMORYSTR

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: h2cker.ddns.net

Performs DNS queries to domains with low reputation

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	DNS query: docs.customrp.xyz
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	DNS query: docs.customrp.xyz
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	DNS query: docs.customrp.xyz
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	DNS query: docs.customrp.xyz

Uses dynamic DNS services

Source: unknown

DNS query: name: h2cker.ddns.net

Yara detected Generic Downloader

Source: Yara match	File source: LisectAVT_2403002A_473.exe, type: SAMPLE
Source: Yara match	File source: 8.0.Local_wGRdnhmmy.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.CustomRP.exe.ce90000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.CustomRP.1.17.26.tmp.594b3d4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.CustomRP.1.17.26.tmp.595fbd4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LocalylmNBbjoFA.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.LocalwCRkvqzBqW.tmp.585edd4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.LocalwCRkvqzBqW.tmp.584a5d4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: CustomRP.exe PID: 8140, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\CustomRP\is-8ECJB.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\CustomRP\is-VUD2Q.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local_wGRdnhmmy.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\LocalylmNBbjoFA.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /maximmax42/Discord-CustomRP/releases/download/1.17.26/CustomRP.1.17.26.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/158286982/4e44c323-1ab5-4a78-8eac-2af3792e6492?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240725%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240725T174543Z&X-Amz-Expires=300&X-Amz-Signature=2b8c79c3814c9ddb3cea189dda427c0b109df098f19b5b63fe34e9d54974f545&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=158286982&response-content-disposition=attachment%3B%20filename%3DCustomRP.1.17.26.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gpRo43W+uZKaMDS&MD=X2XeBryM HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /repos/maximmax42/Discord-CustomRP/releases HTTP/1.1Accept: application/vnd.github.v3User-Agent: CustomRP (Win32NT 10.0.19045; amd64; en-CH; Octokit.net 9.1.2+e87aa64973860122e2c2ba6aa6634f8961c4cc99)Host: api.github.comAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /repositories/158286982/releases?page=2 HTTP/1.1Accept: application/vnd.github.v3User-Agent: CustomRP (Win32NT 10.0.19045; amd64; en-CH; Octokit.net 9.1.2+e87aa64973860122e2c2ba6aa6634f8961c4cc99)Host: api.github.comAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /repositories/158286982/releases?page=3 HTTP/1.1Accept: application/vnd.github.v3User-Agent: CustomRP (Win32NT 10.0.19045; amd64; en-CH; Octokit.net 9.1.2+e87aa64973860122e2c2ba6aa6634f8961c4cc99)Host: api.github.comAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /setting-up HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/css/74e2fcdb16cfacd8.css HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/css/b9d4de855d30ec1d.css HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/css/9788c0e64943a60e.css HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/css/7a9c2d78b5e93503.css HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/css/3fe48cabb38955f2.css HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2F3448418481-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fcollections%252Fb7ivX6BQQxRccY1orTyN%252Ficon%252FnkaA7BNDEwNuDrY1Bu5Z%252Flogo.png%3Falt%3Dmedia%26token%3D8a0a99e6-b7f7-4e7b-9a7d-ec4200fc5dbe&width=32&dpr=1&quality=100&sign=bb6256&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /repositories/158286982/releases?page=4 HTTP/1.1Accept: application/vnd.github.v3User-Agent: CustomRP (Win32NT 10.0.19045; amd64; en-CH; Octokit.net 9.1.2+e87aa64973860122e2c2ba6aa6634f8961c4cc99)Host: api.github.comAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fgithub.com%2Fmaximmax42%2FCustomRP-Docs%2Fassets%2F2225711%2Fa1b8cb1e-7f88-4061-b297-2691523718a5&width=768&dpr=1&quality=100&sign=1352a698&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/webpack-57a2c0165c63471b.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/1dd3208c-be983e9332503385.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/9297-f3eccea4ea14abf3.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/main-app-1db0f0cc75a347a1.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/media/c9a5bc6a7c948fb0-s.woff2 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://docs.customrp.xyzsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://docs.customrp.xyz/_next/static/css/74e2fcdb16cfacd8.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/media/79ec87d3cdff1fa5-s.woff2 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://docs.customrp.xyzsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://docs.customrp.xyz/_next/static/css/74e2fcdb16cfacd8.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/media/3478b6abef19b3b3-s.woff2 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://docs.customrp.xyzsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://docs.customrp.xyz/_next/static/css/74e2fcdb16cfacd8.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/global-error-fb32fca0ade143dc.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/b5d5b83b-50e242a0019abc1b.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gpRo43W+uZKaMDS&MD=X2XeBryM HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/8041-39d7cacda46bd1fd.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/9658-f6b5423552e90c65.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/layout-4f711d9c51dccb47.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/error-0586e6623f4790f0.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/339-d1fe13e12cfd6d9a.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2F3448418481-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fcollections%252Fb7ivX6BQQxRccY1orTyN%252Ficon%252FnkaA7BNDEwNuDrY1Bu5Z%252Flogo.png%3Falt%3Dmedia%26token%3D8a0a99e6-b7f7-4e7b-9a7d-ec4200fc5dbe&width=32&dpr=1&quality=100&sign=bb6256&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/main-app-1db0f0cc75a347a1.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/8390-95889667ae2a0528.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/5810-30abd17002efe9e2.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/webpack-57a2c0165c63471b.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fgithub.com%2Fmaximmax42%2FCustomRP-Docs%2Fassets%2F2225711%2Fa1b8cb1e-7f88-4061-b297-2691523718a5&width=768&dpr=1&quality=100&sign=1352a698&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/9297-f3eccea4ea14abf3.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/1dd3208c-be983e9332503385.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/132-510ddc716fcc679e.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/(content)/layout-e9465a8d877efffb.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/(content)/%5B%5B...pathname%5D%5D/loading-dce89470a41df777.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/global-error-fb32fca0ade143dc.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/b5d5b83b-50e242a0019abc1b.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/9658-f6b5423552e90c65.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/7235-f53aca4aaa75d87a.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/3692-21fb69fe908f900d.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/9894-269c203cc6669c21.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/64-3b527308c4d47fe5.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/8041-39d7cacda46bd1fd.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/(content)/%5B%5B...pathname%5D%5D/page-ec571d2756d4b9b5.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/layout-4f711d9c51dccb47.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/error-0586e6623f4790f0.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/8390-95889667ae2a0528.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/132-510ddc716fcc679e.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /?_rsc=11g49 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22(space)%22%2C%7B%22children%22%3A%5B%22(content)%22%2C%7B%22children%22%3A%5B%5B%22pathname%22%2C%22setting-up%22%2C%22oc%22%5D%2C%7B%22children%22%3A%5B%22__PAGE__%3F%7B%5C%22pathname%5C%22%3A%5B%5C%22setting-up%5C%22%5D%7D%22%2C%7B%7D%5D%7D%5D%7D%5D%7D%2Cnull%2Cnull%2Ctrue%5D%7D%5DNext-Router-Prefetch: 1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Next-Url: /setting-upRSC: 1sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /maximmax42/Discord-CustomRP/releases/download/1.17.26/CustomRP.1.17.26.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /setting-up?_rsc=11g49 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22(space)%22%2C%7B%22children%22%3A%5B%22(content)%22%2C%7B%22children%22%3A%5B%5B%22pathname%22%2C%22setting-up%22%2C%22oc%22%5D%2C%7B%22children%22%3A%5B%22__PAGE__%3F%7B%5C%22pathname%5C%22%3A%5B%5C%22setting-up%5C%22%5D%7D%22%2C%7B%7D%5D%7D%5D%7D%5D%7D%2Cnull%2Cnull%2Ctrue%5D%7D%5DNext-Router-Prefetch: 1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Next-Url: /setting-upRSC: 1sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /faq?_rsc=11g49 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22(space)%22%2C%7B%22children%22%3A%5B%22(content)%22%2C%7B%22children%22%3A%5B%5B%22pathname%22%2C%22setting-up%22%2C%22oc%22%5D%2C%7B%22children%22%3A%5B%22__PAGE__%3F%7B%5C%22pathname%5C%22%3A%5B%5C%22setting-up%5C%22%5D%7D%22%2C%7B%7D%5D%7D%5D%7D%5D%7D%2Cnull%2Cnull%2Ctrue%5D%7D%5DNext-Router-Prefetch: 1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Next-Url: /setting-upRSC: 1sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/339-d1fe13e12cfd6d9a.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050202-c796103d-6712-401e-be96-3f3712512375.png&width=768&dpr=1&quality=100&sign=1d31e0c1&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/(content)/layout-e9465a8d877efffb.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/5810-30abd17002efe9e2.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050341-8169af53-5d3f-44d6-b745-cc711e8d1476.png&width=768&dpr=1&quality=100&sign=eff0ff8&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fgithub.com%2Fmaximmax42%2FCustomRP-Docs%2Fassets%2F2225711%2Fa1b8cb1e-7f88-4061-b297-2691523718a5&width=768&dpr=4&quality=100&sign=1352a698&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/(content)/%5B%5B...pathname%5D%5D/loading-dce89470a41df777.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/7235-f53aca4aaa75d87a.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /__session?proposed=c7fb3030-4991-43e6-a825-1b67f742be0cR HTTP/1.1Host: app.gitbook.comConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: https://docs.customrp.xyzSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/3692-21fb69fe908f900d.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/158286982/4e44c323-1ab5-4a78-8eac-2af3792e6492?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240725%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240725T174543Z&X-Amz-Expires=300&X-Amz-Signature=2b8c79c3814c9ddb3cea189dda427c0b109df098f19b5b63fe34e9d54974f545&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=158286982&response-content-disposition=attachment%3B%20filename%3DCustomRP.1.17.26.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050202-c796103d-6712-401e-be96-3f3712512375.png&width=768&dpr=4&quality=100&sign=1d31e0c1&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050341-8169af53-5d3f-44d6-b745-cc711e8d1476.png&width=768&dpr=4&quality=100&sign=eff0ff8&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/9894-269c203cc6669c21.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/64-3b527308c4d47fe5.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/(space)/(content)/%5B%5B...pathname%5D%5D/page-ec571d2756d4b9b5.js HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~/files/v0/b/gitbook-x-prod.appspot.com/o/collections%2Fb7ivX6BQQxRccY1orTyN%2Ficon%2FnkaA7BNDEwNuDrY1Bu5Z%2Flogo.png?alt=media&token=8a0a99e6-b7f7-4e7b-9a7d-ec4200fc5dbe HTTP/1.1Host: 3448418481-files.gitbook.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://docs.customrp.xyz/setting-upAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /setting-up?_rsc=11g49 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050202-c796103d-6712-401e-be96-3f3712512375.png&width=768&dpr=1&quality=100&sign=1d31e0c1&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /faq?_rsc=11g49 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /__session?proposed=c7fb3030-4991-43e6-a825-1b67f742be0cR HTTP/1.1Host: app.gitbook.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __session=c7fb3030-4991-43e6-a825-1b67f742be0cR
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050341-8169af53-5d3f-44d6-b745-cc711e8d1476.png&width=768&dpr=1&quality=100&sign=eff0ff8&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /?_rsc=11g49 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fgithub.com%2Fmaximmax42%2FCustomRP-Docs%2Fassets%2F2225711%2Fa1b8cb1e-7f88-4061-b297-2691523718a5&width=768&dpr=4&quality=100&sign=1352a698&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~/files/v0/b/gitbook-x-prod.appspot.com/o/collections%2Fb7ivX6BQQxRccY1orTyN%2Ficon%2FnkaA7BNDEwNuDrY1Bu5Z%2Flogo.png?alt=media&token=8a0a99e6-b7f7-4e7b-9a7d-ec4200fc5dbe HTTP/1.1Host: 3448418481-files.gitbook.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050202-c796103d-6712-401e-be96-3f3712512375.png&width=768&dpr=4&quality=100&sign=1d31e0c1&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /~gitbook/image?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F2225711%2F161050341-8169af53-5d3f-44d6-b745-cc711e8d1476.png&width=768&dpr=4&quality=100&sign=eff0ff8&sv=1 HTTP/1.1Host: docs.customrp.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /repos/maximmax42/Discord-CustomRP/releases HTTP/1.1Accept: application/vnd.github.v3User-Agent: CustomRP (Win32NT 10.0.19045; amd64; en-CH; Octokit.net 11.0.1+4ca8f1cd2c7ab01143e5266ea44aaba39bfae85d)Host: api.github.comAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /repositories/158286982/releases?page=2 HTTP/1.1Accept: application/vnd.github.v3User-Agent: CustomRP (Win32NT 10.0.19045; amd64; en-CH; Octokit.net 11.0.1+4ca8f1cd2c7ab01143e5266ea44aaba39bfae85d)Host: api.github.comAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /repositories/158286982/releases?page=3 HTTP/1.1Accept: application/vnd.github.v3User-Agent: CustomRP (Win32NT 10.0.19045; amd64; en-CH; Octokit.net 11.0.1+4ca8f1cd2c7ab01143e5266ea44aaba39bfae85d)Host: api.github.comAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /repositories/158286982/releases?page=4 HTTP/1.1Accept: application/vnd.github.v3User-Agent: CustomRP (Win32NT 10.0.19045; amd64; en-CH; Octokit.net 11.0.1+4ca8f1cd2c7ab01143e5266ea44aaba39bfae85d)Host: api.github.comAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <a href="https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw">like button</a>), Thai, Turkish (new translator, Murat_Efendi) and Ukrainian (new translator, Illia).</p> equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: * By the way, hello to all of the [No Text To Speech](https://www.youtube.com/channel/UCxaaULLk6UCnRl5VKRc7G0A) subscribers and viewers! equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: * Updated Arabic, Estonian, Finnish, Filipino (new translator, [_missingo](https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A)), Romanian, Slovenian (new translator, [like button](https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw)), Thai, Turk equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: * Updated Arabic, Estonian, Finnish, Filipino (new translator, [_missingo](https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A)), Romanian, Slovenian (new translator, [like button](https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw)), Thai, Turkish (new translator, Murat_Efendi) and Ukrainian (new translator, Illia). equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: * Updated Arabic, Estonian, Finnish, Filipino (new translator, [_missingo](https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A)), Romanian, Slovenian (new translator, [like button](https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw)), Thai, Turkish (new translator, Murat_Efendi) and Ukrainian (new translator, Illia).LR equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: * Updated Arabic, Estonian, Finnish, Filipino (new translator, [_missingo](https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A)), Romanian, Slovenian (new translator, [like button](https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw)), Thai, Turkish (new translator, Murat_Efendi) and Ukrainian (new translator, Illia).x equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: * Updated Bulgarian, Estonian, Persian, Finnish, Hindi, Italian (new translator, [NEKO](https://www.youtube.com/@ilcanaledineko)), Japanese, Panjabi, Portuguese, Thai (new translator, toonnongaeoy), Chinese. equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <p>Updated Arabic, Estonian, Finnish, Filipino (new translator, <a href="https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A">_missingo</a>), Romanian, Slovenian (new translator, <a href="https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw">like button</a>), Thai, Turkish (new transla equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003444000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <p>Updated Arabic, Estonian, Finnish, Filipino (new translator, <a href="https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A">_missingo</a>), Romanian, Slovenian (new translator, <a href="https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw">like button</a>), Thai, Turkish (new translator, Murat_Efendi) and Ukrainian (new translator, Illia).</p> equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <p>Updated Arabic, Estonian, Finnish, Filipino (new translator, <a href="https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A">_missingo</a>), Romanian, Slovenian (new translator, equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: DJD320NEKOOhttps://www.youtube.com/@ilcanaledinekoFrin equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: DiDYROqhttps://www.youtube.com/channel/UCjij9nYlEyPl5aVYnJkvx2w equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: Galaxy6430qhttps://www.youtube.com/channel/UC_cnrLEXfwsZoQxEsM95HXg equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Thanks to [Mykm](https://github.com/yumiruuwu) and [Sojpan](https://twitter.com/Illeg__al) for their donations! If you want to donate as well, check out [CustomRP's website](https://www.customrp.xyz/?donate)! equals www.twitter.com (Twitter)
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: Ypsolqhttps://www.youtube.com/channel/UCxGqMDnXnEyVt4yugLeBpgA equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: _missingoqhttps://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: fil!CtrlAltDeliciousWhttps://www.youtube.com/c/CtrlAltDelicious_ equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: like buttonqhttps://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q'https://www.youtube.com/@ilcanaledineko equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q+https://www.youtube.com/c/CtrlAltDelicious_ equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw f equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw`, equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UC_cnrLEXfwsZoQxEsM95HXg equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UCjij9nYlEyPl5aVYnJkvx2w equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UCxGqMDnXnEyVt4yugLeBpgA equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A f equals www.youtube.com (Youtube)
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A`, equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: h2cker.ddns.net
Source: global traffic	DNS traffic detected: DNS query: api.github.com
Source: global traffic	DNS traffic detected: DNS query: in.appcenter.ms
Source: global traffic	DNS traffic detected: DNS query: docs.customrp.xyz
Source: global traffic	DNS traffic detected: DNS query: api.gitbook.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: app.gitbook.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: 3448418481-files.gitbook.io

Source: unknown

Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2039306519.000000000CE92000.00000002.00000001.01000000.00000025.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-8ECJB.tmp.39.dr	String found in binary or memory: http://gdata.youtube.com/feeds/api/videos/
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.com
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.comd
Source: LocalylmNBbjoFA.exe, 00000004.00000002.1293177261.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Local_wGRdnhmmy.exe, 00000008.00000000.1281627960.00000000003C2000.00000002.00000001.01000000.00000008.sdmp, Local_wGRdnhmmy.exe, 00000008.00000002.3771976186.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_473.exe	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: CustomRP.exe, 0000001A.00000002.2000036377.00000000060C2000.00000002.00000001.01000000.00000015.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://objects.githubusercontent.com
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://objects.githubusercontent.comd
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://rentry.org/infer
Source: Local_wGRdnhmmy.exe, 00000008.00000002.3771976186.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2039306519.000000000CE92000.00000002.00000001.01000000.00000025.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-8ECJB.tmp.39.dr	String found in binary or memory: http://vimeo.com/api/v2/video/
Source: LocalwCRkvqzBqW.exe, 00000009.00000003.1286666525.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.exe, 00000009.00000003.1687422302.000000000285D000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000003.1678955414.000000000379E000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000003.1316837154.0000000003530000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.exe, 00000026.00000003.2249734653.000000000287E000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.exe, 00000026.00000003.1943467551.0000000002626000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.1954685395.0000000003610000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2220344770.00000000038B5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.bernamegeh.net%1
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: LocalwCRkvqzBqW.exe, 00000009.00000003.1286666525.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.exe, 00000009.00000003.1687422302.000000000285D000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000003.1678955414.000000000379E000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000003.1316837154.0000000003530000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.exe, 00000026.00000003.1943467551.000000000266A000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.1954685395.0000000003610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: LocalwCRkvqzBqW.exe, 00000009.00000003.1286666525.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.exe, 00000009.00000003.1689132652.0000000002220000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000003.1678955414.000000000379E000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000003.1316837154.0000000003530000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.exe, 00000026.00000003.1943467551.0000000002580000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.1954685395.0000000003610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.haysoft.org%1-k
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://4ng3l.com/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2011935141.0000000009C32000.00000002.00000001.01000000.0000001D.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://api.github.com/
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000321C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/m
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/105004829
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/105004829/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/108138526
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/108138526/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/110103989
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/110103989/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/114405601
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/114405601/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/117069059
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/117069059/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/120548332
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/120548332/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/120549358
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/120549358/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/125125712
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/125125712/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/129056474
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/129056474/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/130222051
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/130222051/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/133326853
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/133326853/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/136095786
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/136095786/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/139819712
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/139819712/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003882000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/14166878
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003882000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/14166878/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/14166878/assetsLR
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/14166878lB
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/142494604
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/142494604/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/143518737
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/143518737/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/143526226
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/143526226/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/148080647
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/148080647/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/152239004
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/152239004/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/154425515
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/154425515/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/157666663
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/157666663/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/161927593
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/161927593/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/164296253
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/164296253/assets
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/58285537
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/58285537/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003604000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/88253436/reactions
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/110203536
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/110203541
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/112261100
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/112261111
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/114590573
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/114590586
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/119318188
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/119318194
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/121475758
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/121475767
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/125388656
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/125388667
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/125391046
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/125391059
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/130700357
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/130700366
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/135177067
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/135177088
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/136382930
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/136382952
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/139951833
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/139951848
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/144228662
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/144228666
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/149770231
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/149770238
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/152240346
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/152240358
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/153460610
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/153460616
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/153475100
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/153478019
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/153478023
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/153478024
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/158351596
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/158521372
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/158521411
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/163576404
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/163576411
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/163576414
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/166298664
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/166298669
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/166298670
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/170377837
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/170377840
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/170377842
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/175494744
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/175494764
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/175494774
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/178176044
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/178176055
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/178176067
Source: CustomRP.exe, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/28138380
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/55362191
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/55362192
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/9840178
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/9840178lB
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003844000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/9847888
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003844000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releases/assets/9847888lB
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/releasesT
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000363C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.10
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.14.2
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003604000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.10
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.11
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.12
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.13
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.13.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.14
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.15
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.16
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.17
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.18
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.19
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.20
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.20.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.20.2
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.21
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.22
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.23
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.24
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.25
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.26
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.8
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/1.17.9
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003214000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/v1.0
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/v1.0LR
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000387A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/v1.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000387A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/tarball/v1.1LR
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000363C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.10
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.14.2
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000321C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.14.5
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003604000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.10
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.11
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.12
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.13
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.13.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.14
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.15
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.16
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.17
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.18
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.19
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.20
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.20.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.20.2
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.21
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.22
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.23
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.24
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.25
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.26
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/1.17.9
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003214000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/v1.0
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/v1.0LR
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000387A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/v1.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000387A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/maximmax42/Discord-CustomRP/zipball/v1.1LR
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000363C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repositories/158286982/releases?page=1
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000363C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repositories/158286982/releases?page=2
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repositories/158286982/releases?page=2lB
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repositories/158286982/releases?page=3
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000363C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repositories/158286982/releases?page=4
Source: CustomRP.exe, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maxim
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003214000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximma&
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039E8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000396E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A1F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000363C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/events
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/followers
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003896000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000385A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/followerslB
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/following
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000363C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/gists
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/orgs
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003896000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000385A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/orgsLR
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/received_events
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003896000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000385A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/received_eventsLR
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/repos
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003896000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000385A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/reposLR
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000363C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/starred
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/subscriptions
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003896000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000385A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A24000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42/subscriptionsLR
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003896000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003857000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FC000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039E8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000396E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A1F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/maximmax42LR
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003892000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD4000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039E4000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000396A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B89000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003932000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avatars.githubusercontent.com/u/2225711?v=4
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003819000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003853000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003892000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD4000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B0F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039E4000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.000000000396A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B89000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003932000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avatars.githubusercontent.com/u/2225711?v=4lB
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://bayusopwan.github.io/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bio.link/maracesh)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://boefjim.com/
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003604000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://boosty.to/maximmax42)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://canel.cloud
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1028632852969033839/1028632881179922522/unknown.png
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1092251869490978816/1092264289215184978/image.png
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://cdn.discordapp.com/embed/avatars/1.png
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://cdn.discordapp.com/embed/avatars/1.pngE
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://cdn.discordapp.com/embed/avatars/4.png
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ci.appveyor.com/project/maximmax42/customrp)
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ci.appveyor.com/project/maximmax42/customrp/builds/49758186)
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ci.appveyor.com/project/maximmax42/customrp/builds/49898001)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003427000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ci.appveyor.com/project/maximmax42/customrp/builds/50076839)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ci.appveyor.com/project/maximmax42/customrp/builds/50162099)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://codiaz.com/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://codiaz.com/))
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://contact.mridungupta.eu.org
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contact.mridungupta.eu.org)).
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://digitarez.space/ref?customrp=default
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://discord.com/developers/applications/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://discord.gg/36Z4u8Q5uN
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg/36Z4u8Q5uN)).
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://discord.gg/Qb8RPjH6sD
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://discord.gg/hqvMaxBAew
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://discord.gg/reformedcityrp
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://discord.gg/zabPuE78ne
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://discordapp.com/api/oauth2/applications/
Source: LisectAVT_2403002A_473.exe, 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_473.exe, 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, LocalM_d_cKXRrV.exe, 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://docs.customrp.xyz/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.customrp.xyz/faq
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://docs.customrp.xyz/faq7gitHubPageToolStripMenuItem
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, explorer.exe, 0000001E.00000002.1795554233.0000000002AF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.1795105757.0000000002B1C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.1795554233.0000000002B1F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.1795554233.0000000002AF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2386868192.0000000000AF4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000003.2385814386.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2387643410.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2387643410.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000003.2385814386.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://docs.customrp.xyz/setting-up
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://e-z.bio/shelovesrichi
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://fiverr.com/jugandomiguel
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://foolian.com/
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2011935141.0000000009C32000.00000002.00000001.01000000.0000001D.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://github.com
Source: CustomRP.exe, CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/BallaBotond
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/Benny-Kun
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/EdiRo
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/Electro7777
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/Erkkii
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/FiberAhmed
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2000036377.00000000060C2000.00000002.00000001.01000000.00000015.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: CustomRP.exe, 0000001A.00000002.2033794203.000000000BEF2000.00000002.00000001.01000000.00000023.sdmp, CustomRP.exe, 0000001A.00000002.2034389155.000000000BF18000.00000002.00000001.01000000.00000023.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.0000000005824000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Knagis/CommonMark.NET
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.0000000005700000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2033794203.000000000BEF2000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: https://github.com/Knagis/CommonMark.NET/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/NaaguYT/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/NaaguYT/)).
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/REGEX777
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/S3ntryPositive
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: CustomRP.exe	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b4919
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2002226777.00000000063B2000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2002226777.00000000063B2000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
Source: CustomRP.exe	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ff
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, is-LTL2H.tmp.14.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2008020216.0000000009AA2000.00000002.00000001.01000000.0000001B.sdmp, is-LTL2H.tmp.14.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/dragonGRaf1312/mycustomrichpresence
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2001708037.0000000006342000.00000002.00000001.01000000.00000018.sdmp, CustomRP.exe, 0000001A.00000002.1999866525.00000000060A2000.00000002.00000001.01000000.00000017.sdmp, CustomRP.exe, 0000001A.00000002.1999487049.0000000005A42000.00000002.00000001.01000000.00000016.sdmp, is-90JQC.tmp.14.dr, is-FETK3.tmp.39.dr, is-7ECM7.tmp.39.dr, is-CMKDC.tmp.14.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.raw
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2001708037.0000000006342000.00000002.00000001.01000000.00000018.sdmp, is-7ECM7.tmp.39.dr, is-CMKDC.tmp.14.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.rawH
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1999866525.00000000060A2000.00000002.00000001.01000000.00000017.sdmp, is-FETK3.tmp.39.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.rawX
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/fbrettnich
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/josephisticated
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2011935141.0000000009C32000.00000002.00000001.01000000.0000001D.sdmp, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://github.com/kInvalid
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/karimawii
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP
Source: LocalwCRkvqzBqW.exe, 00000009.00000003.1689132652.00000000022DA000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000003.1681172458.0000000002461000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.exe, 00000026.00000003.2257382932.000000000233A000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2227588928.0000000002411000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/issues
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1681172458.0000000002461000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2227588928.0000000002411000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003218000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.10/CustomRP.1.10.zip
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.14.2/CustomRP.1.14.2.exe
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.14.2/CustomRP.1.14.2.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000321C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.14.5/CustomRP.1.14.5.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.10/CustomRP.1.17.10.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.10/CustomRP.1.17.10.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.11/CustomRP.1.17.11.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.11/CustomRP.1.17.11.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.12/CustomRP.1.17.12.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.12/CustomRP.1.17.12.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.13.1/CustomRP.1.17.13.1.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.13.1/CustomRP.1.17.13.1.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.13/CustomRP.1.17.13.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.13/CustomRP.1.17.13.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.14/CustomRP.1.17.14.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.14/CustomRP.1.17.14.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.15/CustomRP.1.17.15.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.15/CustomRP.1.17.15.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.16/CustomRP.1.17.16.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.16/CustomRP.1.17.16.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.17/CustomRP.1.17.17.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.17/CustomRP.1.17.17.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.18/CustomRP.1.17.18.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.18/CustomRP.1.17.18.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.19/CustomRP.1.17.19.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.19/CustomRP.1.17.19.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.20.1/CustomRP.1.17.20.1.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.20.1/CustomRP.1.17.20.1.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.20.1/CustomRP.Hashes.1.17.20.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.20.2/CustomRP.1.17.20.2.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.20.2/CustomRP.1.17.20.2.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.20.2/CustomRP.Hashes.1.17.20.2
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.20/CustomRP.1.17.20.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.20/CustomRP.1.17.20.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.21/CustomRP.1.17.21.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.21/CustomRP.1.17.21.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.21/CustomRP.Hashes.1.17.21.txt
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.22/CustomRP.1.17.22.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.22/CustomRP.1.17.22.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.22/CustomRP.Hashes.1.17.22.txt
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.23/CustomRP.1.17.23.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.23/CustomRP.1.17.23.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.23/CustomRP.Hashes.1.17.23.txt
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.24/CustomRP.1.17.24.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.24/CustomRP.1.17.24.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.24/CustomRP.Hashes.1.17.24.txt
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.25/CustomRP.1.17.25.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.25/CustomRP.1.17.25.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.25/CustomRP.Hashes.1.17.25.txt
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.26/CustomRP.1.17.26.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.26/CustomRP.1.17.26.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.26/CustomRP.Hashes.1.17.26.txt
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.8/CustomRP.1.17.8.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.8/CustomRP.1.17.8.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.9/CustomRP.1.17.9.exe
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17.9/CustomRP.1.17.9.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003604000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/1.17/CustomRP.1.17.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003600000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/v1.0/CustomRP.1.0.zip
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000387A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/download/v1.1/CustomRP.1.1.zip
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.14.2
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.10
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.11
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.12
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.13
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.13.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.14
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.15
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.16
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.17
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.18
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.19
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.20
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.20.1
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.20.2
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.21
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.22
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.23
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.24
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.25
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.26
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.8
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/1.17.9
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003882000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/v1.0
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releases/tag/v1.0lB
Source: LocalwCRkvqzBqW.exe, 00000009.00000003.1689132652.00000000022DA000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.exe, 00000026.00000003.2257382932.000000000233A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42/Discord-CustomRP/releasesa
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003896000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000385A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.000000000381D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000038FF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A5F000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003936000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003971000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/maximmax42LR
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/mr-Imran
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/nima-globals/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nima-globals/))
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2011935141.0000000009C32000.00000002.00000001.01000000.0000001D.sdmp, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://github.com/octokit/octokit.net
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2011935141.0000000009C32000.00000002.00000001.01000000.0000001D.sdmp, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://github.com/octokit/octokit.net&
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/yeongaori
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/yumiruuwu
Source: CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://github.com/yumiruuwu#Nicola
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.comd
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003195000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 00000023.00000002.1872050699.0000000005A02000.00000002.00000001.01000000.00000013.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://in.appcenter.ms
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 00000023.00000002.1872050699.0000000005A02000.00000002.00000001.01000000.00000013.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://in.appcenter.ms./logs?api-version=1.0.0
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003195000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://in.appcenter.ms/logs?api-version=1.0.0
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://isaidpower.dev/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://isaidpower.dev/))
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003427000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003444000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://japanesegirl99.muzes.xyz/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://japanesegirl99.muzes.xyz/))
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://jayjake.eu/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://jesperiz.carrd.co/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://jme.bio/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jme.bio/)
Source: LocalwCRkvqzBqW.exe, 00000009.00000000.1284288118.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, LisectAVT_2403002A_473.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://julian-idl.codes/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://ktsgod.carrd.co/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://leadattic.leadattic953788.repl.co/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://linktr.ee/404femboy
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://linktr.ee/KahpotVanilla
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003604000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://linktr.ee/dragongraf)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://linktr.ee/stn69
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://linktr.ee/westxlu
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://marcelgustin.de
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://meap.gg/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://mo-mahdihh.ir/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://mrcube.dev/
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com
Source: CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/158286982/4e44c323-1ab5
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://opensea.io/collection/worldtowers
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://owo.yjb.gay/
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.0000000005700000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2033794203.000000000BEF2000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Knagis/CommonMark.NET/master/LICENSE.md
Source: CustomRP.exe	String found in binary or memory: https://raw.githubusercontent.com/dcurtis/markdown-mark/m
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.0000000005700000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2033794203.000000000BEF2000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: https://raw.githubusercontent.com/dcurtis/markdown-mark/master/png/32x20.png
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://senmn.tech/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://senmn.tech/)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://sionteam.com/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://steamcommunity.com/id/DragonTaki/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/id/DragonTaki/)).
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://sys-256.me/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://turashviliguro.github.io/daddyexe/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://twitter.com/Illeg__al
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://twitter.com/vvouivre
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/105004829/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/108138526/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/110103989/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/114405601/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/117069059/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/120548332/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/120549358/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/125125712/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/129056474/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/130222051/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/133326853/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/136095786/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/139819712/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003882000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/14166878/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/142494604/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/143518737/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/143526226/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/148080647/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/152239004/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/154425515/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/157666663/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/161927593/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3821093463.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/164296253/assets
Source: CustomRP.exe, 0000001A.00000002.1984088295.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploads.github.com/repos/maximmax42/Discord-CustomRP/releases/58285537/assets
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://woomyaisaka.com
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://woomyaisaka.com)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.customrp.xyz/?
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003427000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003444000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.customrp.xyz/?donate
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.customrp.xyz/?donate)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003427000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003444000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.customrp.xyz/donations/NearbyFish.png
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.customrp.xyz/donations/NearbyFish.png)
Source: LocalwCRkvqzBqW.exe, 00000009.00000003.1286666525.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.exe, 00000026.00000003.1943467551.0000000002580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.customrp.xyzjhttps://github.com/maximmax42/Discord-CustomRP/issuesnhttps://github.com/ma
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: LocalwCRkvqzBqW.exe, 00000009.00000003.1290338237.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.exe, 00000009.00000003.1293081379.000000007FB00000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000000.1306434984.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, is-OD2S7.tmp.39.dr	String found in binary or memory: https://www.innosetup.com/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.maximmax42.ru
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: CustomRP.exe, 0000001A.00000002.2000036377.00000000060C2000.00000002.00000001.01000000.00000015.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2000036377.00000000060C2000.00000002.00000001.01000000.00000015.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: LocalwCRkvqzBqW.exe, 00000009.00000003.1290338237.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.exe, 00000009.00000003.1293081379.000000007FB00000.00000004.00001000.00020000.00000000.sdmp, LocalwCRkvqzBqW.tmp, 0000000E.00000000.1306434984.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, is-OD2S7.tmp.39.dr	String found in binary or memory: https://www.remobjects.com/ps
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.roblox.com/users/6757996/profile
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.roblox.com/users/6757996/profile)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.savethekiwi.nz/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.twitch.tv/greenrosie
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.youtube.com/
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.youtube.com/c/CtrlAltDelicious_
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003444000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCVt43CrPLKNjaPs1r5Pcdnw))
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.youtube.com/channel/UC_cnrLEXfwsZoQxEsM95HXg
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCjij9nYlEyPl5aVYnJkvx2w
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCxGqMDnXnEyVt4yugLeBpgA
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003444000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A
Source: CustomRP.exe, 0000001A.00000002.1954935503.000000000342E000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCxNVq2Esevsdp2v1jGQNu5A))
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003427000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003444000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.00000000034DF000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://x.com/Nearbyfish1
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000003410000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1954935503.0000000003220000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://x.com/Nearbyfish1)
Source: CustomRP.exe, 0000001A.00000002.1954935503.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.exe, 0000002A.00000002.3776335624.0000000003312000.00000004.00000800.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://zag.rip

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.5:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.7:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.7:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.5:443 -> 192.168.2.7:49808 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: LocalM_d_cKXRrV.exe.0.dr, kl.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: LisectAVT_2403002A_473.exe, type: SAMPLE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3774758497.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_473.exe PID: 5604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LocalM_d_cKXRrV.exe PID: 4932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\server.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: LisectAVT_2403002A_473.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: LisectAVT_2403002A_473.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: LisectAVT_2403002A_473.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: LisectAVT_2403002A_473.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 8.0.Local_wGRdnhmmy.exe.3c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.LocalylmNBbjoFA.exe.200000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.LisectAVT_2403002A_473.exe.1f220f.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000008.00000000.1281627960.00000000003C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.1293177261.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000000.1266635863.0000000000215000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1281399824.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1256648440.0000000000206000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Users\user\server.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Code function: 8_2_00007FFAA9E65C76	8_2_00007FFAA9E65C76
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Code function: 8_2_00007FFAA9E66A22	8_2_00007FFAA9E66A22
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Code function: 8_2_00007FFAA9E68E19	8_2_00007FFAA9E68E19
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Code function: 8_2_00007FFAA9E61609	8_2_00007FFAA9E61609
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Code function: 8_2_00007FFAA9E61F41	8_2_00007FFAA9E61F41
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Code function: 8_2_00007FFAA9E69EAE	8_2_00007FFAA9E69EAE
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Code function: 8_2_00007FFAA9E6444D	8_2_00007FFAA9E6444D
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Code function: 8_2_00007FFAA9E611BD	8_2_00007FFAA9E611BD
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Code function: 22_2_00007FFAA9E50DEE	22_2_00007FFAA9E50DEE
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Code function: 22_2_00007FFAA9E51CA6	22_2_00007FFAA9E51CA6
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Code function: 23_2_00007FFAA9E50DEE	23_2_00007FFAA9E50DEE
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Code function: 23_2_00007FFAA9E51CA6	23_2_00007FFAA9E51CA6
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Code function: 24_2_00007FFAA9E80DEE	24_2_00007FFAA9E80DEE
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Code function: 24_2_00007FFAA9E81CA6	24_2_00007FFAA9E81CA6
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_060A4799	26_2_060A4799
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_060A305A	26_2_060A305A
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_060A317E	26_2_060A317E
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_060C6998	26_2_060C6998
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_060C33B9	26_2_060C33B9
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_060C3276	26_2_060C3276
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_06342FF5	26_2_06342FF5
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_063426E8	26_2_063426E8
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0634BB59	26_2_0634BB59
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_06345D0B	26_2_06345D0B
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_063B5C52	26_2_063B5C52
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_09AC8238	26_2_09AC8238
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE233EA	26_2_0CE233EA
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE2374E	26_2_0CE2374E
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE26B0C	26_2_0CE26B0C
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE97762	26_2_0CE97762
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE9519C	26_2_0CE9519C
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE97D93	26_2_0CE97D93
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A83DBF0	26_2_6A83DBF0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A896240	26_2_6A896240
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7B53A0	26_2_6A7B53A0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7FDA30	26_2_6A7FDA30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7D3AD0	26_2_6A7D3AD0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A810A70	26_2_6A810A70
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A806B80	26_2_6A806B80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A85AB90	26_2_6A85AB90
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7BBB60	26_2_6A7BBB60
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A814BB0	26_2_6A814BB0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7DABE0	26_2_6A7DABE0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A884B70	26_2_6A884B70
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A860890	26_2_6A860890
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7ED830	26_2_6A7ED830
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7EA8E0	26_2_6A7EA8E0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A80A9A0	26_2_6A80A9A0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7D6940	26_2_6A7D6940
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F2910	26_2_6A7F2910
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8A0940	26_2_6A8A0940
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A888950	26_2_6A888950
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A819E80	26_2_6A819E80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A853EA0	26_2_6A853EA0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7E3E30	26_2_6A7E3E30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A882EE0	26_2_6A882EE0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7DEEB0	26_2_6A7DEEB0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7B7EA0	26_2_6A7B7EA0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A82DF80	26_2_6A82DF80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A821F30	26_2_6A821F30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A856F30	26_2_6A856F30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8AEF35	26_2_6A8AEF35
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7B1F80	26_2_6A7B1F80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7E2C70	26_2_6A7E2C70
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A800CD0	26_2_6A800CD0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A887CD0	26_2_6A887CD0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7ECC10	26_2_6A7ECC10
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A833D80	26_2_6A833D80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A842D60	26_2_6A842D60
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8842D0	26_2_6A8842D0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7D2210	26_2_6A7D2210
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8372F0	26_2_6A8372F0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A802200	26_2_6A802200
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7FC2D0	26_2_6A7FC2D0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F52C0	26_2_6A7F52C0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A852250	26_2_6A852250
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8A6250	26_2_6A8A6250
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A89D3A0	26_2_6A89D3A0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A80E3C0	26_2_6A80E3C0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8413C0	26_2_6A8413C0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F3330	26_2_6A7F3330
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7C5300	26_2_6A7C5300
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7EC3B0	26_2_6A7EC3B0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE25760	26_2_0CE25760
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_060C5D9D	26_2_060C5D9D
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 35_2_055F6D5A	35_2_055F6D5A
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Code function: 40_2_00007FFAA9E50DEE	40_2_00007FFAA9E50DEE
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Code function: 40_2_00007FFAA9E51CA6	40_2_00007FFAA9E51CA6
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4FDBF0	42_2_6A4FDBF0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A556240	42_2_6A556240
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4753A0	42_2_6A4753A0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4BDA30	42_2_6A4BDA30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A493AD0	42_2_6A493AD0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A544B70	42_2_6A544B70
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A47BB60	42_2_6A47BB60
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A49ABE0	42_2_6A49ABE0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A51AB90	42_2_6A51AB90
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4C6B80	42_2_6A4C6B80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4AD830	42_2_6A4AD830
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4AA8E0	42_2_6A4AA8E0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A548950	42_2_6A548950
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A496940	42_2_6A496940
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A560940	42_2_6A560940
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4B2910	42_2_6A4B2910
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4CA9A0	42_2_6A4CA9A0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4A3E30	42_2_6A4A3E30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A542EE0	42_2_6A542EE0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4D9E80	42_2_6A4D9E80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A477EA0	42_2_6A477EA0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A513EA0	42_2_6A513EA0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A49EEB0	42_2_6A49EEB0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A516F30	42_2_6A516F30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A56EF35	42_2_6A56EF35
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4E1F30	42_2_6A4E1F30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A471F80	42_2_6A471F80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4EDF80	42_2_6A4EDF80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4A2C70	42_2_6A4A2C70
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4ACC10	42_2_6A4ACC10
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A547CD0	42_2_6A547CD0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4C0CD0	42_2_6A4C0CD0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4F3D80	42_2_6A4F3D80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A512250	42_2_6A512250
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A566250	42_2_6A566250
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4C2200	42_2_6A4C2200
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A492210	42_2_6A492210
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A5442D0	42_2_6A5442D0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4B52C0	42_2_6A4B52C0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4BC2D0	42_2_6A4BC2D0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4F72F0	42_2_6A4F72F0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A485300	42_2_6A485300
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4CE3C0	42_2_6A4CE3C0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A5013C0	42_2_6A5013C0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A55D3A0	42_2_6A55D3A0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4AC3B0	42_2_6A4AC3B0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A481040	42_2_6A481040
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A47F050	42_2_6A47F050
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A48E050	42_2_6A48E050
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A560070	42_2_6A560070
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4CC090	42_2_6A4CC090
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A516170	42_2_6A516170
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A51C110	42_2_6A51C110
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A5181C0	42_2_6A5181C0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A510650	42_2_6A510650
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A50C640	42_2_6A50C640
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4B1670	42_2_6A4B1670
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4C4720	42_2_6A4C4720
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A4B04E0	42_2_6A4B04E0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A526580	42_2_6A526580

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: String function: 6A846580 appears 77 times
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: String function: 6A7C7970 appears 60 times
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: String function: 6A7D0FA0 appears 171 times
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: String function: 6A490FA0 appears 160 times

Sample file is different than original file name gathered from version info

Source: LisectAVT_2403002A_473.exe, 00000000.00000000.1257651766.0000000000856000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedsdsssss.Scr4 vs LisectAVT_2403002A_473.exe
Source: LisectAVT_2403002A_473.exe	Binary or memory string: OriginalFileName vs LisectAVT_2403002A_473.exe
Source: LisectAVT_2403002A_473.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs LisectAVT_2403002A_473.exe
Source: LisectAVT_2403002A_473.exe	Binary or memory string: OriginalFilenamesdsdsd.Scr4 vs LisectAVT_2403002A_473.exe
Source: LisectAVT_2403002A_473.exe	Binary or memory string: OriginalFilenamedsdsssss.Scr4 vs LisectAVT_2403002A_473.exe

Uses 32bit PE files

Source: LisectAVT_2403002A_473.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: LisectAVT_2403002A_473.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: LisectAVT_2403002A_473.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: LisectAVT_2403002A_473.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: LisectAVT_2403002A_473.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 8.0.Local_wGRdnhmmy.exe.3c0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 4.0.LocalylmNBbjoFA.exe.200000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.LisectAVT_2403002A_473.exe.1f220f.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000008.00000000.1281627960.00000000003C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.1293177261.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000000.1266635863.0000000000215000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1281399824.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1256648440.0000000000206000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, maC2rNtx1b5CL8WjrQbnsVoyoeFzRupXiO2bEJRFmnDcFz3f3xmj4wktvQXPtr.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, 7OJWizdBeSlGH7qWtAtRFahk6E6v64SjpzYbrWqJGw9FBYpyMJWB7kDG0qmHYq.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, 7OJWizdBeSlGH7qWtAtRFahk6E6v64SjpzYbrWqJGw9FBYpyMJWB7kDG0qmHYq.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal90.troj.spyw.evad.winEXE@51/412@73/10

Source: C:\Users\user\server.exe	Code function: 16_2_011F145E AdjustTokenPrivileges,		16_2_011F145E
Source: C:\Users\user\server.exe	Code function: 16_2_011F1427 AdjustTokenPrivileges,		16_2_011F1427

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe

File created: C:\Users\user\AppData\LocalM_d_cKXRrV.exe

Jump to behavior

Source: C:\Users\user\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\aeef8aa7871139dda7dc4a2275ef7f4f
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Mutant created: \Sessions\1\BaseNamedObjects\CustomRP
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Users\user\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Mutant created: \Sessions\1\BaseNamedObjects\GK5KyBNuhcePlPdJ

Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe

File created: C:\Users\user~1\AppData\Local\Temp\is-GPIMV.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process created: C:\Windows\SysWOW64\explorer.exe

Source: LisectAVT_2403002A_473.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: LisectAVT_2403002A_473.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: CustomRP.exe, 0000001A.00000002.2046982098.000000006A8BA000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: CustomRP.exe, CustomRP.exe, 0000001A.00000002.2046982098.000000006A8BA000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: CustomRP.exe, CustomRP.exe, 0000002A.00000002.3865639119.000000006A582000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: CustomRP.exe, CustomRP.exe, 0000001A.00000002.2046982098.000000006A8BA000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: CustomRP.exe, CustomRP.exe, 0000001A.00000002.2046982098.000000006A8BA000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: CustomRP.exe, CustomRP.exe, 0000001A.00000002.2046982098.000000006A8BA000.00000002.00000001.01000000.0000001A.sdmp, CustomRP.exe, 0000002A.00000002.3865639119.000000006A582000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: CustomRP.exe, CustomRP.exe, 0000001A.00000002.2046982098.000000006A8BA000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: CustomRP.exe	String found in binary or memory: user/codespaces/{0}/stop
Source: CustomRP.exe	String found in binary or memory: user/codespaces/{0}/stop
Source: CustomRP.exe	String found in binary or memory: GET$/app/installations/{installation_id}
Source: CustomRP.exe	String found in binary or memory: /app/installations
Source: CustomRP.exe	String found in binary or memory: GET$/user/installation/{id}/repositories
Source: CustomRP.exe	String found in binary or memory: /installation/repositories
Source: CustomRP.exe	String found in binary or memory: /repositories/{id}/installation
Source: CustomRP.exe	String found in binary or memory: /users/{username}/installation
Source: CustomRP.exe	String found in binary or memory: /orgs/{org}/installation
Source: CustomRP.exe	String found in binary or memory: GET"/repos/{owner}/{repo}/installation
Source: CustomRP.exe	String found in binary or memory: GET2/app/installations/{installation_id}/access_tokens
Source: CustomRP.exe	String found in binary or memory: /user/installations
Source: CustomRP.exe	String found in binary or memory: users/{0}/installation
Source: CustomRP.exe	String found in binary or memory: repositories/{0}/installation
Source: CustomRP.exe	String found in binary or memory: orgs/{0}/installation
Source: CustomRP.exe	String found in binary or memory: repos/{0}/{1}/installation
Source: CustomRP.exe	String found in binary or memory: user/installations/{0}/repositories
Source: CustomRP.exe	String found in binary or memory: app/installations
Source: CustomRP.exe	String found in binary or memory: app/installations/{0}/access_tokens
Source: CustomRP.exe	String found in binary or memory: POST&/user/codespaces/{codespace_name}/stop
Source: CustomRP.exe	String found in binary or memory: POST&/user/codespaces/{codespace_name}/stop
Source: CustomRP.exe	String found in binary or memory: user/installations
Source: CustomRP.exe	String found in binary or memory: app/installations/{0}
Source: CustomRP.exe	String found in binary or memory: <!--StartFragment-->
Source: CustomRP.exe	String found in binary or memory: !--StartFragment-->
Source: CustomRP.exe	String found in binary or memory: POST&/user/codespaces/{codespace_name}/stop
Source: CustomRP.exe	String found in binary or memory: POST&/user/codespaces/{codespace_name}/stop
Source: CustomRP.exe	String found in binary or memory: /users/{username}/installation
Source: CustomRP.exe	String found in binary or memory: /repositories/{id}/installation
Source: CustomRP.exe	String found in binary or memory: GET$/app/installations/{installation_id}
Source: CustomRP.exe	String found in binary or memory: /app/installations
Source: CustomRP.exe	String found in binary or memory: GET"/repos/{owner}/{repo}/installation
Source: CustomRP.exe	String found in binary or memory: /orgs/{org}/installation
Source: CustomRP.exe	String found in binary or memory: GET2/app/installations/{installation_id}/access_tokens
Source: CustomRP.exe	String found in binary or memory: /user/installations
Source: CustomRP.exe	String found in binary or memory: GET$/user/installation/{id}/repositories
Source: CustomRP.exe	String found in binary or memory: /installation/repositories
Source: CustomRP.exe	String found in binary or memory: user/codespaces/{0}/stop
Source: CustomRP.exe	String found in binary or memory: user/codespaces/{0}/stop
Source: CustomRP.exe	String found in binary or memory: repos/{0}/{1}/installation
Source: CustomRP.exe	String found in binary or memory: user/installations/{0}/repositories
Source: CustomRP.exe	String found in binary or memory: app/installations
Source: CustomRP.exe	String found in binary or memory: app/installations/{0}/access_tokens
Source: CustomRP.exe	String found in binary or memory: user/installations
Source: CustomRP.exe	String found in binary or memory: app/installations/{0}
Source: CustomRP.exe	String found in binary or memory: users/{0}/installation
Source: CustomRP.exe	String found in binary or memory: orgs/{0}/installation
Source: CustomRP.exe	String found in binary or memory: repositories/{0}/installation
Source: LisectAVT_2403002A_473.exe	String found in binary or memory: /LOADINF="filename"

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe "C:\Users\user\Desktop\LisectAVT_2403002A_473.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process created: C:\Users\user\AppData\LocalM_d_cKXRrV.exe "C:\Users\user\AppData\LocalM_d_cKXRrV.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process created: C:\Users\user\AppData\LocalylmNBbjoFA.exe "C:\Users\user\AppData\LocalylmNBbjoFA.exe"
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process created: C:\Users\user\AppData\Local_wGRdnhmmy.exe "C:\Users\user\AppData\Local_wGRdnhmmy.exe"
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process created: C:\Users\user\AppData\LocalwCRkvqzBqW.exe "C:\Users\user\AppData\LocalwCRkvqzBqW.exe"
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Process created: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp "C:\Users\user~1\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp" /SL5="$20408,5483573,1081856,C:\Users\user\AppData\LocalwCRkvqzBqW.exe"
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process created: C:\Users\user\server.exe "C:\Users\user\server.exe"
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Local_wGRdnhmmy" /tr "C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe "C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe "C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe"
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process created: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe "C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe"
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" https://docs.customrp.xyz/setting-up
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://docs.customrp.xyz/setting-up
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1936,i,15522809999631733676,11133617490285214044,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process created: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe "C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe"
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process created: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe "C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe"
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Process created: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp "C:\Users\user~1\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp" /SL5="$404B2,5498303,1081856,C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process created: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe "C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process created: C:\Users\user\AppData\LocalM_d_cKXRrV.exe "C:\Users\user\AppData\LocalM_d_cKXRrV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process created: C:\Users\user\AppData\LocalylmNBbjoFA.exe "C:\Users\user\AppData\LocalylmNBbjoFA.exe"	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process created: C:\Users\user\server.exe "C:\Users\user\server.exe"	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process created: C:\Users\user\AppData\Local_wGRdnhmmy.exe "C:\Users\user\AppData\Local_wGRdnhmmy.exe"	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process created: C:\Users\user\AppData\LocalwCRkvqzBqW.exe "C:\Users\user\AppData\LocalwCRkvqzBqW.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Local_wGRdnhmmy" /tr "C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe"	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Process created: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp "C:\Users\user~1\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp" /SL5="$20408,5483573,1081856,C:\Users\user\AppData\LocalwCRkvqzBqW.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process created: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe "C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe"	Jump to behavior
Source: C:\Users\user\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" https://docs.customrp.xyz/setting-up
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process created: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe "C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://docs.customrp.xyz/setting-up
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1936,i,15522809999631733676,11133617490285214044,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Process created: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp "C:\Users\user~1\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp" /SL5="$404B2,5498303,1081856,C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe"
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process created: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe "C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe"

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: mscoree.dll
Source: C:\Users\user\server.exe	Section loaded: apphelp.dll
Source: C:\Users\user\server.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\server.exe	Section loaded: version.dll
Source: C:\Users\user\server.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\server.exe	Section loaded: wldp.dll
Source: C:\Users\user\server.exe	Section loaded: profapi.dll
Source: C:\Users\user\server.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\server.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\server.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\server.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\server.exe	Section loaded: mswsock.dll
Source: C:\Users\user\server.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\server.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\server.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: oleacc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: ieframe.dll
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: version.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll
Source: C:\Windows\explorer.exe	Section loaded: secur32.dll
Source: C:\Windows\explorer.exe	Section loaded: mlang.dll
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: pcacli.dll
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll
Source: C:\Windows\explorer.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: windows.globalization.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: bcp47mrm.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: globinputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Section loaded: windows.ui.dll

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Automated click: I accept the agreement

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright (c) 2020-2024 maximmax42Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.---Upon the first launch of the app you will be asked permission to send analytics data to the developer. You can still use the app without any restriction if you don't consent.CustomRP collects this non-personal information during the usage of the app:- OS Version- OS Language- Device Model (laptop or motherboard)- Country based on OS settings (does not use geolocation)- App VersionAs well as these user interactions:- Connection status to Discord- Connection errors (wrong ID etc)- Connection failure (Discord isn't running etc)- Updated presence: - Does it have party? - What timestamp type is used? - Does it have a big image set? - Does it have a small image set? - How many buttons are set?- New version was ignored: - Which version?- Saved a preset- Loaded a preset- Clicked on a supporter/translator menu item: - Name of the supporter/translator - URL of the supporter/translator- Opened "Pipe select" window- Opened "About" windowCrash reports send your settings (except ID) to help understand the cause of the crash.This information is collected to understand how the application is used improve features and catch unexpected crashes as soon as they appear. The information is stored in the Microsoft App Center for 28 days and is not shared with any third parties.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright (c) 2020-2024 maximmax42Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.---Upon the first launch of the app you will be asked permission to send analytics data to the developer. You can still use the app without any restriction if you don't consent.CustomRP collects this non-personal information during the usage of the app:- OS Version- OS Language- Device Model (laptop or motherboard)- Country based on OS settings (does not use geolocation)- App VersionAs well as these user interactions:- Connection status to Discord- Connection errors (wrong ID etc)- Connection failure (Discord isn't running etc)- Updated presence: - Does it have party? - What timestamp type is used? - Does it have a big image set? - Does it have a small image set? - How many buttons are set?- New version was ignored: - Which version?- Saved a preset- Loaded a preset- Clicked on a supporter/translator menu item: - Name of the supporter/translator - URL of the supporter/translator- Opened "Pipe select" window- Opened "About" windowCrash reports send your settings (except ID) to help understand the cause of the crash.This information is collected to understand how the application is used improve features and catch unexpected crashes as soon as they appear. The information is stored in the Microsoft App Center for 28 days and is not shared with any third parties.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright (c) 2020-2024 maximmax42Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.---Upon the first launch of the app you will be asked permission to send analytics data to the developer. You can still use the app without any restriction if you don't consent.CustomRP collects this non-personal information during the usage of the app:- OS Version- OS Language- Device Model (laptop or motherboard)- Country based on OS settings (does not use geolocation)- App VersionAs well as these user interactions:- Connection status to Discord- Connection errors (wrong ID etc)- Connection failure (Discord isn't running etc)- Updated presence: - Does it have party? - What timestamp type is used? - Does it have a big image set? - Does it have a small image set? - How many buttons are set?- New version was ignored: - Which version?- Saved a preset- Loaded a preset- Clicked on a supporter/translator menu item: - Name of the supporter/translator - URL of the supporter/translator- Opened "Pipe select" window- Opened "About" windowCrash reports send your settings (except ID) to help understand the cause of the crash.This information is collected to understand how the application is used improve features and catch unexpected crashes as soon as they appear. The information is stored in the Microsoft App Center for 28 days and is not shared with any third parties.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright (c) 2020-2024 maximmax42Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.---Upon the first launch of the app you will be asked permission to send analytics data to the developer. You can still use the app without any restriction if you don't consent.CustomRP collects this non-personal information during the usage of the app:- OS Version- OS Language- Device Model (laptop or motherboard)- Country based on OS settings (does not use geolocation)- App VersionAs well as these user interactions:- Connection status to Discord- Connection errors (wrong ID etc)- Connection failure (Discord isn't running etc)- Updated presence: - Does it have party? - What timestamp type is used? - Does it have a big image set? - Does it have a small image set? - How many buttons are set?- New version was ignored: - Which version?- Saved a preset- Loaded a preset- Clicked on a supporter/translator menu item: - Name of the supporter/translator - URL of the supporter/translator- Opened "Pipe select" window- Opened "About" windowCrash reports send your settings (except ID) to help understand the cause of the crash.This information is collected to understand how the application is used improve features and catch unexpected crashes as soon as they appear. The information is stored in the Microsoft App Center for 28 days and is not shared with any third parties.I &accept the agreementI &do not accept the agreement&NextCancel

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B1949CF-3AC6-43B8-95BF-5517797E2CEA}_is1

Jump to behavior

Source: LisectAVT_2403002A_473.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LisectAVT_2403002A_473.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: LisectAVT_2403002A_473.exe

Static file information: File size 6717450 > 1048576

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: LisectAVT_2403002A_473.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x663000

Source: LisectAVT_2403002A_473.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Microsoft.AppCenter.Crashes.WindowsDesktop\Release\net472\Microsoft.AppCenter.Crashes.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 00000023.00000002.1870099006.00000000055F2000.00000002.00000001.01000000.00000012.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\customrp\CustomRPC\obj\Release\CustomRP.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000000.1657558451.0000000000AB2000.00000002.00000001.01000000.00000010.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: is-L16CA.tmp.39.dr
Source:	Binary string: c:\Users\Sentinel\Desktop\HTMLRenderer\HTML-Renderer\Source\HtmlRenderer.WinForms\obj\Release\HtmlRenderer.WinForms.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2038683267.000000000CE22000.00000002.00000001.01000000.00000024.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.1999866525.00000000060A2000.00000002.00000001.01000000.00000017.sdmp, is-FETK3.tmp.39.dr
Source:	Binary string: c:\Users\Sentinel\Desktop\HTMLRenderer\HTML-Renderer\Source\HtmlRenderer\obj\Release\HtmlRenderer.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2039306519.000000000CE92000.00000002.00000001.01000000.00000025.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-8ECJB.tmp.39.dr
Source:	Binary string: /_/Src/Newtonsoft.Json.Bson/obj/Release/net45/Newtonsoft.Json.Bson.pdbSHA256Z source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2002226777.00000000063B2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256I source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1999866525.00000000060A2000.00000002.00000001.01000000.00000017.sdmp, is-FETK3.tmp.39.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.1999487049.0000000005A42000.00000002.00000001.01000000.00000016.sdmp, is-90JQC.tmp.14.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2000036377.00000000060C2000.00000002.00000001.01000000.00000015.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2001708037.0000000006342000.00000002.00000001.01000000.00000018.sdmp, is-7ECM7.tmp.39.dr, is-CMKDC.tmp.14.dr
Source:	Binary string: D:\a\cb\cb\cb\bld\bin\e_sqlite3\win\v142\plain\x86\e_sqlite3.pdb source: CustomRP.exe, 0000001A.00000002.2046982098.000000006A8BA000.00000002.00000001.01000000.0000001A.sdmp, CustomRP.exe, 0000002A.00000002.3865639119.000000006A58B000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\Projects\Visual Studio\discord-rpc-csharp\DiscordRPC\obj\Release\net45\DiscordRPC.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2008788803.0000000009AC2000.00000002.00000001.01000000.0000001C.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Octokit.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2011935141.0000000009C32000.00000002.00000001.01000000.0000001D.sdmp, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\_work\1\Tooling\obj\Release\System.Net.Http.Formatting\System.Net.Http.Formatting.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, is-OARCU.tmp.14.dr
Source:	Binary string: c:\Users\Sentinel\Desktop\HTMLRenderer\HTML-Renderer\Source\HtmlRenderer.WinForms\obj\Release\HtmlRenderer.WinForms.pdb, source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2038683267.000000000CE22000.00000002.00000001.01000000.00000024.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json.Bson/obj/Release/net45/Newtonsoft.Json.Bson.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdbSHA256R source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.1999487049.0000000005A42000.00000002.00000001.01000000.00000016.sdmp, is-90JQC.tmp.14.dr
Source:	Binary string: E:\OneDrive\Programming\CommonMark\CommonMark\obj\v4.5\Release\CommonMark.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.0000000005700000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 0000001A.00000002.2033794203.000000000BEF2000.00000002.00000001.01000000.00000023.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.0000000005824000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Microsoft.AppCenter.WindowsDesktop\Release\net472\Microsoft.AppCenter.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 00000023.00000002.1872050699.0000000005A02000.00000002.00000001.01000000.00000013.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\Visual Studio\discord-rpc-csharp\DiscordRPC\obj\Release\net45\DiscordRPC.pdbSHA256^ source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2008788803.0000000009AC2000.00000002.00000001.01000000.0000001C.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2001708037.0000000006342000.00000002.00000001.01000000.00000018.sdmp, is-7ECM7.tmp.39.dr, is-CMKDC.tmp.14.dr
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, is-LTL2H.tmp.14.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Microsoft.AppCenter.Analytics.WindowsDesktop\Release\net472\Microsoft.AppCenter.Analytics.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 00000023.00000002.1870476118.0000000005662000.00000002.00000001.01000000.00000014.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-313PG.tmp.14.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Numerics.Vectors/net46\System.Numerics.Vectors.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Microsoft.AppCenter.Analytics.WindowsDesktop\Release\net472\Microsoft.AppCenter.Analytics.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 00000023.00000002.1870476118.0000000005662000.00000002.00000001.01000000.00000014.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-313PG.tmp.14.dr
Source:	Binary string: Octokit.pdb source: CustomRP.exe, CustomRP.exe, 0000002A.00000002.3833471382.0000000006E82000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000001A.00000002.2000036377.00000000060C2000.00000002.00000001.01000000.00000015.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, is-N75LE.tmp.14.dr, is-8B8DA.tmp.39.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Microsoft.AppCenter.Crashes.WindowsDesktop\Release\net472\Microsoft.AppCenter.Crashes.pdbSHA256 source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 00000023.00000002.1870099006.00000000055F2000.00000002.00000001.01000000.00000012.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: -C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: is-L16CA.tmp.39.dr
Source:	Binary string: C:\projects\customrp\CustomRPC\obj\Release\CustomRP.pdb< source: CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000000.2191328539.0000000000E72000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Microsoft.AppCenter.WindowsDesktop\Release\net472\Microsoft.AppCenter.pdb source: LocalwCRkvqzBqW.tmp, 0000000E.00000003.1661520651.00000000057AF000.00000004.00001000.00020000.00000000.sdmp, CustomRP.exe, CustomRP.exe, 00000023.00000002.1872050699.0000000005A02000.00000002.00000001.01000000.00000013.sdmp, CustomRP.1.17.26.tmp, 00000027.00000003.2195222115.00000000058B0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, OGwlqciXr0ElwpPhx2ELvF3kNaKNl.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{B2XkNRIfMeAoP3U1ztvWAdAGcXy7w.uIyunLolBqwllVVDZCX56D0GqUWs9,B2XkNRIfMeAoP3U1ztvWAdAGcXy7w.njXy4hiAdARQRipLtAeJC4sjnK9sS,B2XkNRIfMeAoP3U1ztvWAdAGcXy7w._8H5NqAIy8CMvYmRQknkcFQC9tU1WP,B2XkNRIfMeAoP3U1ztvWAdAGcXy7w.CkIDfYNhpg1tAG2PGKbvUA0Elq5gc,_7OJWizdBeSlGH7qWtAtRFahk6E6v64SjpzYbrWqJGw9FBYpyMJWB7kDG0qmHYq._56a6fVyzDD90QtgdUY86C4nJ5FcDMc0CSRvP8HhqehLuna7wrFL1eT5ApuxzQp()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, OGwlqciXr0ElwpPhx2ELvF3kNaKNl.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{BHOQj9Xxu0vKZWs0HCJniDmXP4v2XvbRoGZ4tJwPKPjFzrMDJQMAj42I9Cgduv[2],_7OJWizdBeSlGH7qWtAtRFahk6E6v64SjpzYbrWqJGw9FBYpyMJWB7kDG0qmHYq.Czxd4ExSuH2IoIE21QwPUiDLNtvW8418ZYcwYKefxGmHL8jlQSY3RwCv5av4hp(_7OJWizdBeSlGH7qWtAtRFahk6E6v64SjpzYbrWqJGw9FBYpyMJWB7kDG0qmHYq.xETPFICgM0aL3df1wQojEnxodtq7BR6UQhsrIJ7HTsKmFfeH0PBE8bOUNm5S6Q(BHOQj9Xxu0vKZWs0HCJniDmXP4v2XvbRoGZ4tJwPKPjFzrMDJQMAj42I9Cgduv[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, OGwlqciXr0ElwpPhx2ELvF3kNaKNl.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { BHOQj9Xxu0vKZWs0HCJniDmXP4v2XvbRoGZ4tJwPKPjFzrMDJQMAj42I9Cgduv[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: LocalM_d_cKXRrV.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, OGwlqciXr0ElwpPhx2ELvF3kNaKNl.cs	.Net Code: b0T66TwgdsFDp8EZEffofaWtyiZofgzderQP7qVS0bSagCaeGgxQu9i3qeHA93 System.AppDomain.Load(byte[])
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, OGwlqciXr0ElwpPhx2ELvF3kNaKNl.cs	.Net Code: M8I3cEkZRWMPHu1vFgN0xsR55eN42qZ9DbCuIpeqvEexFu6tCe9FqQBmtTtwLP System.AppDomain.Load(byte[])
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, OGwlqciXr0ElwpPhx2ELvF3kNaKNl.cs	.Net Code: M8I3cEkZRWMPHu1vFgN0xsR55eN42qZ9DbCuIpeqvEexFu6tCe9FqQBmtTtwLP

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_05A44054 push cs; retf	26_2_05A44056
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_060AC6E7 push ebp; ret	26_2_060AC6F4
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_063456FA push ss; iretd	26_2_06345702
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_06347F11 push cs; ret	26_2_06347F12
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE273FB push cs; ret	26_2_0CE273FC
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE2735B push cs; ret	26_2_0CE273AE
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE26B0C push cs; ret	26_2_0CE2735A
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_0CE9A5C4 pushfd ; ret	26_2_0CE9A5C5
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A5797A3 push ecx; ret	42_2_6A5797B6

Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, GzXr2Mcaar8f5V6mmaBIB3Qmorj8608N3NfyZiCrxOwn2Ubo81jp38Hf8K3vMc.cs	High entropy of concatenated method names: 'du5SXtDXjK7rxbJy4PxNJAvPkHLEEga4cRRX3Uzlof712GlhX8UmXsovle68I2', 'uT5h9qbRmgXiVno2NHRp0dZ9Ou8hsh2oPCFpLE0xyTaQqQI6jKIxzTtW3NhCMr', 'dsy4E13gzwzp4kPRjHqKdmBHOlXv8o7Fje8lBVDkSmwodj9', 'N2FSOkJ1ugfPu145SuZXVw', 'f0tRf2MdTZq7L5LlONzuiw', 'dbMHnFKIeeSwNibDPwj8SE', '_3ghl34YLCwxVYQtEocF8f5', 'l8UizUq2H4XxpLqYe92t2j', 'S91pEFYlKlco1QKzzZMZfm', '_6HeBPUxqxMgAIM5UUHUrm4'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, B2XkNRIfMeAoP3U1ztvWAdAGcXy7w.cs	High entropy of concatenated method names: 'o4Bj8Ixe8j0oU8YFOcYN7loNS87K4Ka8i2agGqOoPkbK6I1', 'Nn9suwVJNSDNYT7iSiCy7jSvy1yOfqftKk2DNj3XgjePNde', 'URWXZ7ayLW0VIa7GuvQo9lIeZQwD1SGkbHrPzIT2X2PRrAK', 'CaZG7odOBK6amSleOUQGxAiO8xLBV7dHJcemdPZMcsNKkWq'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, OV7l01RbiiW89yaMq3qQg9koJXcBS.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'O5JzNJEG3PhQS6ln6GcOZ2TYp3yqJcdn0b8GZ7za0m3XkNW', 'dcOe1l9QEtqry8tmuDudpZI3EXOvdr2qYUEqt4J5lLr47Ek', 'NA4GPsgGZiBBp3tzdllO9ePmO7aISQt4ILjiyq7LMqDDrOH', 'X4gyqK7y4EwljHiEo3rrrYwiXW65uBpBmno4GdJ5Zq8ZYYJ'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, maC2rNtx1b5CL8WjrQbnsVoyoeFzRupXiO2bEJRFmnDcFz3f3xmj4wktvQXPtr.cs	High entropy of concatenated method names: 'PbgU60La5wMiOOBDsscLSxUNbiKOvj6sxrT7NqSaqSy3GC64igGPGh5dvQmjKt', 'bnqE7DfdyEbT1wKyOnUXP4u9h3lYot642fosF9CMPPus5LdqIsrZUVKvmmiOdP', 'atbh9Cdgzec6XSqA9Ne7VNfFE2co9hV9ZlwTj84ZKwTfZVF2QvXz7wsaHKjahQ', 'QE1MyDqPqvkr297huzPuLjuJEJajFv0e3gqf0XvOz1MV8aYBO1sf5ndz1FKgGVAHBE7usKScMkRqgVD', 'f8bNamCkcRfcKXp8J2fcxSffR5Rr7ADZMywkWuQvBskDxmrVnO6U2lTTYZUnEVJwGnrDWDBuUknKlrB', '_0QAaRtUV1VJCIOgySpWpZx8I27aqzJpf7vaeOYulZ7qwW6PVbAhupe1QRMSJA8MOVZ0mE83Y2g781FW', '_5yRme6KIBsF41sHTlL6VUf5Tz325nSFh6VOwgiD4GQJei4oi12zaSpwv2VyPGL8qBphTeXwI82yLHhG', 'YCkdJzbCDBB48JgLJLqkHfAe8ENhUFT7A19QGSpvhqv24oa29tyQ5rgdo8IeBvWPi1mLS5hntL8OUXl', '_3IPxK04d2V3dRZBmQV7kCoe5Bcp9o2blxLvlzZpu7INNz8sgDUeCvpI5cfwVnwlLUMNDNXFQFi7qIB9', 'bP3dUM8BjODBVCVTo9dtcQekr2QJyK6yhXy9ofrcQZfrj3oLig1q4jipDZ8AudijecughlGaa3FWKeC'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, R0hg9jZbVaevTyXey4uE49a6kWot1.cs	High entropy of concatenated method names: 'cId9vuX6TEhHyg6I0toB205OFwxeI', 'Zp4B0r08IvRR4hGaiV0dO6hQDgMJL', 'PjVOM1LfZ7AszjFVweGGWRU2TGhC3', 'f9hgo30SjlAFBRGST47WcTQEBO56v', 'eBqF06VZUqCitvWfEEtqYxk0gYNkM', 'rDDPWoftRsad1LJMYH1Oxwe645mP6', '_5d8fYQqTSWpy4ca35vixlzNQdfigR', 'f46SutHIvAHjSf0T1fbXj6Sliga05', 'xDurXySakyaZbpkWXqPXuhWTTEk3H', '_2UWRUbXIWIuRA0L95M2bEnUoZtVRE'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, ARp5zTXjKKYFtcoXWqDeIcmGA17yFtlsomL8MTAUPdEkHWKf5y5JsMlRGkcqSq.cs	High entropy of concatenated method names: 'B6WqiBeg2rO0jU2a9fIoSqFhOlN12d4Dvjhhj6t9uRq1FpOxG729NYRCHFPQoU', 'ozudnqly6dI3zP6pVKLmVCpcDCSveBvhWT3CTLQFaXEHRDeaUuqTCxcLFHQfiEoSdz9h2Yf5bY5KALf', 'NN6LL0xWQRPszZ2MdNx1H69kcgVCuflHWjFSGy048sSgbsmXIsvwnraAbVKXIx90eXXjgt85VDSEALb', 'xv5ZjhAyDgTqUlXyQ2pob1H9fK4myJeQck0hc4GFWIvVS6s71I3wxhyzn8k3qyZLUsyHZwoqKZsE1oH', 'KMoAxYQHhTasYTiTp5YbGYXyHrSl9Du19NBB3uUw3hjmUvMkvjtebus1Kc17gNkj9SiG31nD6zDi6qH'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, KM7vndHufqEm3GqJ6ZRODL27U0yoO.cs	High entropy of concatenated method names: 'IEr0mcA4RL7j1ayGSUFmuIaWbUGdI', 'eaw022wAHiws1ctBjAnTu5oV8I22i', 'dVbc4BqEmQPuQsxRBA4BIWhoP8EU1', 'CTxrcJdigva9oOH0bVdrYoQtksoIW', 'i2Pucbl9eBekGVf86cIN0zJxNTKtP', 'wFiPuYdB58l10IQAtE4uuyaZuiLPX', 'M5O12Kq7UYOxerWJEWymCmJwkOrNH', 'HAKuAd5F6XFEEGozK6npGZJ5xguI6', 'v8SuV2VTmiTxn0BGEqkhxtJEE4rXU', 'z0Q01kZYW3jpdlfdoYiqGyzfQObFt'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, 7OJWizdBeSlGH7qWtAtRFahk6E6v64SjpzYbrWqJGw9FBYpyMJWB7kDG0qmHYq.cs	High entropy of concatenated method names: '_38SrXGO8ftuEMARWR101lQOCIjyjlrMJpAtdu2XTgMCYpUjLPTFf0faDNx2W5H', 'kNdXkKAls71g76CCWnQdphfCs5Mbr3594elgD7V6pm7Mdh9TQwj5cRO7MZubFL', '_7SreYRQoAUYZaegZSxljAzPEzbfaJ1seGdRnZGA59fSoOJWx61dKNvKZmjqjja', 'MHIfz0Ia8PqP5vnlWOvoUGP3f4vXUazr1NOT9wM1UWYlI2zCYL9kHzmfPihrmx', 'KouHVC715kMNPt5HfCcVICP5CyoOY8yuU1gZ9BRptSvBDwiHZPSBQEiW1i6dUf', '_9CEqF9BzI2p5s5YYBUVPWnnzE8x8wy0gcTcU2qlcWfkoH9QLck0ChG1eCMw5d9', '_209aCAJWvjnFl7BWjh1J9iligEBWf4ZxOQlCrHjSzsFKio0JEwQ7UTTZjOj6yO', 'SQna4U4BKsCJjpWQChg8XngLxwjUwMsN8y9D9SL2uOycuUnh0Xumrv5FPX32su', 'Aeci3iwx9Kt8pBA08sDmLCoK4bA4kqeCnnkCIh7BgcyT09qKEGWgEaqobMscug', 'xETPFICgM0aL3df1wQojEnxodtq7BR6UQhsrIJ7HTsKmFfeH0PBE8bOUNm5S6Q'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, keOMzeMbmlluHCZjjLfCZqNwIPA5BFya9rhNK7NgripufyOZD7am0OJVVXnqVp.cs	High entropy of concatenated method names: 'L2OtLWgcyWZ5tBJ3DSWrSwLFCavVjWDooKBOgha6P6KmWFhbCBZ2ibx97GWaOF', 'OyPnF3NQMqT4RnLUE5FfhfSIxLURYA1dplhcwRXuQeVsbmKf1uvMxzxuQiiexV', 'h7xW4sjV4gVVVPKMhFT62r3WipcXAQOMPr7D2aXUsrjDOaAn2yhHI9oQpHrXeg', 'K16t4Tx5eiciP325gHkXlK8n8VXcy8CogaV2itdfCZ2tcQJnMAnigN3OWUYR7pcWBDncAuRKH1q5CVS', 'syzbqkZTj6zIMbCRXVUXul9iVau5Z7HgeFuu2GkJzaezSkrt9w8dN3g0OlJJhMVOUZJ7tZt8bPUMcmF', 'jrSWlesuBWmlIvcWkCnV9EPYCzMuKTBpBpOuT8yTeBPx1eRMJJLPcREDJSMQP6bChUOhcf2Fg05EhQu', 'ntfFWmiXfTilJmBgPG9nqpEExZcsrcbLpWgeJHTBj7RnKU1P0e75phozSah3SULD1vkxgV328LvhvzY', 'QTvkKoCeSg860LOuuDApqZLXUqpicN9r3NSMq6EQ2Gr1OWd6tEs4c2u6Eik8I3BwibAtQ97mFcuSEPj', 'OQgevOvh1IzkJnPIke9ORLNkpIfnYkpiGpk6G5mw365UdOY48UJFJwBDdRbGiWnnesl2V719c2GWKNR', 'FnAVJsB3nqqCxAbU2jDiPwTiJFkvxQH8z8kb3ZksDRPFick19zot0BL9241sl6IeerH2QBIFBjBkch9'
Source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, OGwlqciXr0ElwpPhx2ELvF3kNaKNl.cs	High entropy of concatenated method names: 'HSE1LdbBUlEWfEmQqGIMi8NOMoVKE', 'b0T66TwgdsFDp8EZEffofaWtyiZofgzderQP7qVS0bSagCaeGgxQu9i3qeHA93', 'QWEsyaklucOqbTkeuwTeJRCe56Pz4PFmGyhOSSptICQnaS0YDn0tiPTrgf7G6H', 'o7p0H92GwR8Wk7Q4r3E2CwvvP9j6qfh0XGivTHetuoJQiaz6ueIChHWbsYyWnN', 'zYVsWygyVBXnDL9LoHT6vUaR4TMGuWLPs04xwIKYjtX9VtJGLt3zKVayIU9pVv', 'GP0IwfbnQiKb54klyMG9dvCn3Y8BLwZix6YsiNWaNI380zxVG25hJbXyoCbmCJ', 'f6q3Rd4r1p6nrKJWZOMYcoSysSaSQSbzEJgcyaZVGypm0vPgrgpttAK1htvrIH', 'h2y50w9dLhvbgSpPia76D7m9srvWb0v0cPggh0x8JNPuJ2J6ykwxe8JUy7r5cx', 'EpmY8lrFt35zHm2FcmGtQXWJYE2Unb7aYBstKBxjwsfiJxZCqmnb8qhKpTngLd', 'WJ5skVy9PqlMc4vrcQXkNgGbKQClTAAKc2887ArkTKYeFGgMWQzssikgTPQKAw'

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Analytics.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	File created: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\zh-Hant\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pt-BR\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\cs\is-LVJRV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\et\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\kk\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\kn\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bs\is-UTM10.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\cs\is-D6RI7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-40UMB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-I462P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\gl\is-O7UR3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\el\is-NEUVP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-OARCU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\he\is-BIB27.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bg\is-VHFMO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bg\is-RDQFL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pa\is-QT140.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x86\native\e_sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sv\is-0ERMH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hi\is-OG5MR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ka\is-O57A3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pl\is-5BRIE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sr\is-7NGID.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\vi\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bn\is-1BDJ5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fil\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	File created: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-I8E2V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Local\Temp\is-5AHC5.tmp\is-L16CA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sl\is-C59RA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-313PG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\mk\is-4D6QO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pt-BR\is-0EQ8U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sv\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\vi\is-I9TFR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-N75LE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hy\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-LTL2H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pl\is-05QDT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\System.Net.Http.Formatting.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\da\is-MEI7K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hi\is-5G0PQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-FNJTI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ta\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sk\is-5KF44.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hr\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\th\is-K9T0V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-FK5SN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ar\is-HRLC1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ja\is-HSSNF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.batteries_v2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ja\is-HUT9S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\System.Numerics.Vectors.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ru\is-SBHVJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x86\native\is-TR1B4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\Newtonsoft.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\el\is-2TH83.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ms\is-KFO4O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fa\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\zh-Hans\is-A2DL7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pt\is-MD896.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-GVRFI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fa\is-N68S6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\be\is-OUIRJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ta\is-A4O8R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.provider.dynamic_cdecl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\System.Runtime.CompilerServices.Unsafe.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hu\is-1UC18.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ku\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	File created: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-arm\native\e_sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\Octokit.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hu\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-KQM6J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-2C28F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\cy\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fa\is-ATSDQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\nl\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x64\native\is-546QC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-N7DCN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\DiscordRPC.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\it\is-SMAND.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\mn\is-GJ06U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-8ECJB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x86\native\is-SDGP4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-TJS3F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fi\is-3UC6U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-IOV14.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ml\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-687SV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sl\is-G19UM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QU0ES.tmp\is-PMCAU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\vi\is-JDVP8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ko\is-3MKMH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pl\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-JAUIP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ur\is-G731T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\id\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\et\is-6NKQM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hi\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sl\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\th\is-B2KEE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sk\is-NHIH0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\id\is-VO99H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\System.Memory.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\az\is-SPCCG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ms\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ar\is-674TO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ca\is-G3P15.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-arm\native\is-L6FKM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ta\is-AVES5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\zh-Hant\is-TCS3P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\mn\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ku\is-54C0C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\kn\is-Q0K47.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ar\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\de-CH\is-PS652.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\gl\is-ROPLV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	File created: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ro\is-H3RRR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fr\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-F4MFV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\it\is-AVJLC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\zh-Hant\is-LHI5A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	File created: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sv\is-53H19.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\tr\is-IOVKP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hy\is-OHUPK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fil\is-UD0CQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-9AGJI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\nl\is-T6AQ0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\he\is-85D8B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\no\is-M254A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bn\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pa\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sr\is-UK4IF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\System.Threading.Tasks.Extensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pt\is-IFBSR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-8B8DA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hr\is-QSFJ0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\he\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ca\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is\is-G0GP4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fi\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\uk\is-DVKQR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\da\is-L9EDS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-9VO3N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fr\is-CJ2KI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-90JQC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QU0ES.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\HtmlRenderer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\uk\is-VIB03.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\my\is-2UT95.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\kk\is-BEN2D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ja\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-7ECM7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-60I9P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\zh-Hans\is-5VLN4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user~1\AppData\Local\Temp\is-5AHC5.tmp\ndp48-web.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pa\is-DAB1M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\id\is-JVR9Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-840Q4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\mn\is-S5EU4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\es\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ko\is-QDV0A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\lv\is-9GBNE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-VUD2Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\Newtonsoft.Json.Bson.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pt-BR\is-2A1S4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\da\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ca\is-RKKJG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\nl\is-AGJMF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\no\is-AJQMV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-QQTGA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\mk\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\th\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	File created: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hr\is-EFPSN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\tr\is-51KP4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-OD2S7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\System.Buffers.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ml\is-NJ72O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-2C6IM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bs\is-6KALE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ur\is-COL0K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fi\is-JNLAH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ro\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ru\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\cy\is-39CN3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-PN1CV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\pt\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	File created: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\cy\is-QS138.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fr\is-VSURF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\lt\is-7TEOR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-CMKDC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sk\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\lv\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Crashes.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ka\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ka\is-BTTKK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\de\is-ONH2C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	File created: C:\Users\user\server.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-H1ITL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-0375B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x64\native\is-HGKHC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hy\is-9K8L2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\tr\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bs\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\gl\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\hu\is-T48C7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ro\is-SGDGS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\az\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-JHC4U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\zh-Hans\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\es\is-JBG7J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is\is-9VBA1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\no\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-TI8RB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-FEUPA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\CommonMark.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\cs\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\HtmlRenderer.WinForms.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bg\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\el\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ur\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\it\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-550CF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\kn\is-PHNVH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ku\is-0AQNH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\lv\is-943IK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-QH208.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\be\is-CQSTG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\et\is-1TNPU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\be\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\de-CH\is-3GQDR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ml\is-H8GME.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\my\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-FETK3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\lt\is-558BR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\de\is-Q34JK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\my\is-DB878.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x64\native\e_sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Local\Temp\is-5AHC5.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ko\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\mk\is-B6G5I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\bn\is-HPMA5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	File created: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-1NIJ8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\is-1OIC0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\de-CH\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\es\is-65RVL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\de\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\uk\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-arm\native\is-JNFCM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\sr\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\lt\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\fil\is-PN2OA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user~1\AppData\Local\Temp\is-QU0ES.tmp\ndp48-web.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\CustomRP\ru\is-GL4HQ.tmp	Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe

File created: C:\Users\user\server.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe

File created: C:\Users\user\server.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CustomRP.lnk

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CustomRP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CustomRP\CustomRP.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CustomRP\Uninstall CustomRP.lnk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CustomRP.lnk
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CustomRP\CustomRP.lnk
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CustomRP\Uninstall CustomRP.lnk

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Local_wGRdnhmmy			Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Local_wGRdnhmmy			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\LocalwCRkvqzBqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	File opened: \Device\RasAcd count: 74580			Jump to behavior
Source: C:\Users\user\server.exe	File opened: \Device\RasAcd count: 33218

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Local_wGRdnhmmy.exe, 00000008.00000002.3771976186.00000000025E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: LocalylmNBbjoFA.exe, 00000004.00000002.1293177261.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Local_wGRdnhmmy.exe, 00000008.00000000.1281627960.00000000003C2000.00000002.00000001.01000000.00000008.sdmp, LisectAVT_2403002A_473.exe	Binary or memory string: SBIEDLL.DLL_W5EH52Q5QTMQAPKL8LWNHVVSTNDVSYLRP6LQYKBXU5EQBRQ_PZJTIAI5UMOHUV4Y1YUY7548O2SOGTIJRVHLUCSMY3DC3KM_RGHR88E1AIVLNLNRBDJFPRXVOC6L77WSHJP7UGB1XI4VP8Z_HUUXALKYV8NG3SRKQM7LRIF2FZ1ZWFTRRJPJJXL8LJGG9EM_UNVTYP7EKIMLWEBYRMSRZVF8HRBKCLVNXU5GCKQ7MJYM22M_VTL3DAXV14GEBGFECNRPV41XSEJUXSGCXC4VPK30SBJTEIG_RMK7YTADMJ9PMNNOOZEZUA3Q4DEM92BNDRZ6T2TNNLA5FUW_LW5C8JRAX2TSJ9L3CMQWTW7NJE2YN0ZIQQD3P5JDUYXMMUL_GBVIJDAHNK0TUEYPEC5KLSNDMYFJ17UAT3VVA3MIQ6CASYH_ZO1NOBSGC31IGZVOWOKYQNIBSEU3SSOKPO1KZASJ4KZGSPX_06ZDZTLTPZRJKPHUAG87E257WGE27BIPCHMUK8G1GPRTZST_PG4HXUXEXVRT0WXYYHW048H41PHO1KS9RTVE37PHFE1T2UZINFO

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Memory allocated: F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Memory allocated: 2E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Memory allocated: 1AE00000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Memory allocated: E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Memory allocated: 2C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Memory allocated: 4C10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Memory allocated: 1090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Memory allocated: 1AEE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Memory allocated: A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Memory allocated: 1A5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 1130000 memory reserve \| memory write watch
Source: C:\Users\user\server.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch
Source: C:\Users\user\server.exe	Memory allocated: 4EA0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 10C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 1AD10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 2A50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 1AD00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 1AB20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 16B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 4EB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 3010000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 3110000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 3010000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 1A1E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 1900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 3300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory allocated: 3250000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Memory allocated: 1AAD0000 memory reserve \| memory write watch

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe

Code function: 26_2_09AC7850 sldt word ptr [eax]

26_2_09AC7850

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Window / User API: threadDelayed 1089	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Window / User API: threadDelayed 3094	Jump to behavior
Source: C:\Users\user\server.exe	Window / User API: threadDelayed 3292
Source: C:\Users\user\server.exe	Window / User API: foregroundWindowGot 1570
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Window / User API: threadDelayed 5657
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Window / User API: threadDelayed 4034
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Window / User API: threadDelayed 9282

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Analytics.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\zh-Hant\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pt-BR\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\cs\is-LVJRV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\et\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\kk\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\kn\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bs\is-UTM10.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-40UMB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\cs\is-D6RI7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\gl\is-O7UR3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\el\is-NEUVP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-OARCU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\he\is-BIB27.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bg\is-VHFMO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bg\is-RDQFL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pa\is-QT140.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x86\native\e_sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sv\is-0ERMH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ka\is-O57A3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hi\is-OG5MR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pl\is-5BRIE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sr\is-7NGID.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\vi\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fil\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bn\is-1BDJ5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-I8E2V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5AHC5.tmp\is-L16CA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sl\is-C59RA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\mk\is-4D6QO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-313PG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pt-BR\is-0EQ8U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sv\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\vi\is-I9TFR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hy\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-N75LE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-LTL2H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pl\is-05QDT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\System.Net.Http.Formatting.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\da\is-MEI7K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hi\is-5G0PQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-FNJTI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ta\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sk\is-5KF44.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hr\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\th\is-K9T0V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-FK5SN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ar\is-HRLC1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ja\is-HSSNF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.batteries_v2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\System.Numerics.Vectors.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ja\is-HUT9S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x86\native\is-TR1B4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ru\is-SBHVJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\Newtonsoft.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ms\is-KFO4O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\el\is-2TH83.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\zh-Hans\is-A2DL7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fa\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pt\is-MD896.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-GVRFI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fa\is-N68S6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\be\is-OUIRJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ta\is-A4O8R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.provider.dynamic_cdecl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\System.Runtime.CompilerServices.Unsafe.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hu\is-1UC18.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ku\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-arm\native\e_sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\Octokit.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hu\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-KQM6J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-2C28F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\cy\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fa\is-ATSDQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x64\native\is-546QC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\nl\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-N7DCN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\DiscordRPC.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\it\is-SMAND.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-8ECJB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\mn\is-GJ06U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x86\native\is-SDGP4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fi\is-3UC6U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-IOV14.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-687SV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ml\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sl\is-G19UM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QU0ES.tmp\is-PMCAU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\vi\is-JDVP8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ko\is-3MKMH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pl\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-JAUIP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ur\is-G731T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\id\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hi\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\et\is-6NKQM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sl\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\th\is-B2KEE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sk\is-NHIH0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\id\is-VO99H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\System.Memory.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\az\is-SPCCG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ms\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ar\is-674TO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ta\is-AVES5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ca\is-G3P15.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-arm\native\is-L6FKM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\zh-Hant\is-TCS3P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\mn\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ku\is-54C0C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\kn\is-Q0K47.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ar\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\gl\is-ROPLV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\de-CH\is-PS652.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ro\is-H3RRR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-F4MFV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fr\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\it\is-AVJLC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\zh-Hant\is-LHI5A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sv\is-53H19.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\tr\is-IOVKP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hy\is-OHUPK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fil\is-UD0CQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-9AGJI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\nl\is-T6AQ0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\he\is-85D8B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\no\is-M254A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bn\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pa\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sr\is-UK4IF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\System.Threading.Tasks.Extensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pt\is-IFBSR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-8B8DA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hr\is-QSFJ0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\he\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ca\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fi\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is\is-G0GP4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\uk\is-DVKQR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\da\is-L9EDS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-9VO3N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fr\is-CJ2KI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-90JQC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QU0ES.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\HtmlRenderer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\uk\is-VIB03.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\my\is-2UT95.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\kk\is-BEN2D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ja\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-7ECM7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-60I9P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\zh-Hans\is-5VLN4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-5AHC5.tmp\ndp48-web.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pa\is-DAB1M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\id\is-JVR9Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-840Q4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\mn\is-S5EU4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\es\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ko\is-QDV0A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\lv\is-9GBNE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\Newtonsoft.Json.Bson.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-VUD2Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pt-BR\is-2A1S4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\da\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ca\is-RKKJG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\nl\is-AGJMF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\no\is-AJQMV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-QQTGA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\mk\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\th\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hr\is-EFPSN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\tr\is-51KP4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-OD2S7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\System.Buffers.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ml\is-NJ72O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bs\is-6KALE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-2C6IM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ur\is-COL0K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fi\is-JNLAH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ro\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ru\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\cy\is-39CN3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-PN1CV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\pt\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\cy\is-QS138.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\lt\is-7TEOR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fr\is-VSURF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-CMKDC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sk\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\lv\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Crashes.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ka\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ka\is-BTTKK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\de\is-ONH2C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-H1ITL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-0375B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x64\native\is-HGKHC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hy\is-9K8L2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\tr\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bs\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\gl\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\hu\is-T48C7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ro\is-SGDGS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\az\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-JHC4U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\zh-Hans\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\es\is-JBG7J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is\is-9VBA1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\no\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-TI8RB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-FEUPA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\CommonMark.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\cs\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\HtmlRenderer.WinForms.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bg\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\el\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ur\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\it\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\kn\is-PHNVH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-550CF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ku\is-0AQNH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-QH208.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\lv\is-943IK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\be\is-CQSTG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\et\is-1TNPU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\be\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\de-CH\is-3GQDR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ml\is-H8GME.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\my\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-FETK3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\lt\is-558BR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\de\is-Q34JK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\my\is-DB878.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-x64\native\e_sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5AHC5.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\mk\is-B6G5I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ko\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\bn\is-HPMA5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-1NIJ8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\is-1OIC0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\de-CH\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\es\is-65RVL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\de\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\uk\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\runtimes\win-arm\native\is-JNFCM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\sr\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\lt\CustomRP.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\fil\is-PN2OA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CustomRP\ru\is-GL4HQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-QU0ES.tmp\ndp48-web.exe (copy)	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	API coverage: 2.5 %
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	API coverage: 6.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe TID: 2692	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe TID: 2132	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe TID: 5092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe TID: 7428	Thread sleep count: 1089 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe TID: 7428	Thread sleep time: -1089000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe TID: 7428	Thread sleep count: 3094 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe TID: 7428	Thread sleep time: -3094000s >= -30000s	Jump to behavior
Source: C:\Users\user\server.exe TID: 7320	Thread sleep count: 272 > 30
Source: C:\Users\user\server.exe TID: 7320	Thread sleep time: -272000s >= -30000s
Source: C:\Users\user\server.exe TID: 7476	Thread sleep count: 186 > 30
Source: C:\Users\user\server.exe TID: 7476	Thread sleep time: -372000s >= -30000s
Source: C:\Users\user\server.exe TID: 7480	Thread sleep count: 3292 > 30
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe TID: 7652	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe TID: 7712	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe TID: 7804	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 6604	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -99828s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -99717s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -99608s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -99499s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -99334s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -98891s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -98750s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -98640s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -98515s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -98390s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -98278s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -98171s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -98062s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -97953s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -97830s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -97719s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -97594s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -97484s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -97375s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -97262s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -97150s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -96578s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -96407s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -96277s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -96170s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -96058s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 4944	Thread sleep time: -95952s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 1568	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe TID: 8176	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 5880	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -95397s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -95209s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -94882s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -94661s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -94543s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -94437s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -94327s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -94216s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -94093s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93984s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93874s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93735s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93594s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93468s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93359s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93250s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93138s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -93031s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -92914s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -92793s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -92663s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -92512s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -92363s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -92234s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -92123s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -92015s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -91906s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -91794s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -91686s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -91576s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -91470s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -91345s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -91220s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -91095s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -90954s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -90829s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -90704s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -90579s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -90454s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -90329s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -90204s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -90072s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -89954s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -89829s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -89704s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -89579s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -89454s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -89329s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -89191s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -89064s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88932s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88821s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88696s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88592s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88484s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88373s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88262s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88156s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -88048s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -87923s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -87798s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -87673s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -87548s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -87423s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -87298s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -87173s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -87033s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -86908s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -86783s >= -30000s
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe TID: 7892	Thread sleep time: -86658s >= -30000s
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe TID: 760	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe

Code function: 26_2_6A891730 sqlite3_os_init,sqlite3_thread_cleanup,GetSystemInfo,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_thread_cleanup,

26_2_6A891730

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 99828
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 99717
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 99608
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 99499
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 99334
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 98891
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 98750
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 98640
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 98515
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 98390
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 98278
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 98171
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 98062
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 97953
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 97830
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 97719
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 97594
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 97484
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 97375
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 97262
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 97150
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 96578
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 96407
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 96277
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 96170
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 96058
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 95952
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 95397
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 95209
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 94882
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 94661
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 94543
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 94437
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 94327
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 94216
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 94093
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93984
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93874
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93735
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93594
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93468
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93359
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93250
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93138
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 93031
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 92914
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 92793
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 92663
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 92512
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 92363
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 92234
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 92123
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 92015
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 91906
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 91794
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 91686
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 91576
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 91470
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 91345
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 91220
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 91095
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 90954
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 90829
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 90704
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 90579
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 90454
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 90329
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 90204
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 90072
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 89954
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 89829
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 89704
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 89579
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 89454
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 89329
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 89191
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 89064
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88932
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88821
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88696
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88592
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88484
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88373
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88262
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88156
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 88048
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 87923
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 87798
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 87673
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 87548
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 87423
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 87298
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 87173
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 87033
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 86908
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 86783
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Thread delayed: delay time: 86658
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Thread delayed: delay time: 922337203685477

Source: Local_wGRdnhmmy.exe, 00000008.00000002.3785650029.000000001B4B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: LocalM_d_cKXRrV.exe, 00000003.00000002.1334949588.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: LisectAVT_2403002A_473.exe	Binary or memory string: vmware
Source: CustomRP.1.17.26.tmp, 00000027.00000003.2207639440.00000000009E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: server.exe, 00000010.00000002.3763187381.0000000000F24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Local_wGRdnhmmy.exe, 00000008.00000002.3785650029.000000001B4B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllonfi
Source: server.exe, 00000010.00000002.3763187381.0000000000F24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrkflowservices, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL"/>
Source: explorer.exe, 0000001F.00000003.2385814386.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}V
Source: LocalM_d_cKXRrV.exe, 00000003.00000002.1334949588.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>B
Source: CustomRP.exe, 0000001A.00000002.1950110963.0000000001185000.00000004.00000020.00020000.00000000.sdmp, CustomRP.exe, 0000002A.00000002.3759680781.00000000014B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 0000001F.00000003.2385814386.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: netsh.exe, 00000013.00000003.1401962998.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld

Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe

Code function: 8_2_00007FFAA9E67180 CheckRemoteDebuggerPresent,

8_2_00007FFAA9E67180

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe

Code function: 26_2_6A8B0C8A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

26_2_6A8B0C8A

Enables debug privileges

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\server.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8B0C8A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_6A8B0C8A
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8AA228 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_6A8AA228
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A8AB3A0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_6A8AB3A0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A570C8A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_6A570C8A
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A56A228 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_6A56A228
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 42_2_6A56B3A0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_6A56B3A0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: LocalM_d_cKXRrV.exe.0.dr, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: LocalM_d_cKXRrV.exe.0.dr, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: LocalM_d_cKXRrV.exe.0.dr, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory written: PID: 3088 base: 190000 value: 00
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory written: PID: 3088 base: 2042D8 value: 00
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Memory written: PID: 3088 base: 2051E8 value: 00

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process created: C:\Users\user\AppData\LocalM_d_cKXRrV.exe "C:\Users\user\AppData\LocalM_d_cKXRrV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_473.exe	Process created: C:\Users\user\AppData\LocalylmNBbjoFA.exe "C:\Users\user\AppData\LocalylmNBbjoFA.exe"	Jump to behavior
Source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe	Process created: C:\Users\user\server.exe "C:\Users\user\server.exe"	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process created: C:\Users\user\AppData\Local_wGRdnhmmy.exe "C:\Users\user\AppData\Local_wGRdnhmmy.exe"	Jump to behavior
Source: C:\Users\user\AppData\LocalylmNBbjoFA.exe	Process created: C:\Users\user\AppData\LocalwCRkvqzBqW.exe "C:\Users\user\AppData\LocalwCRkvqzBqW.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Local_wGRdnhmmy" /tr "C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" https://docs.customrp.xyz/setting-up
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Process created: C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe "C:\Users\user\AppData\Local\Temp\CustomRP.1.17.26.exe"

Source: server.exe, 00000010.00000002.3774758497.0000000003407000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000010.00000002.3774758497.000000000304B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000010.00000002.3774758497.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: server.exe, 00000010.00000002.3774758497.0000000003407000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000010.00000002.3774758497.000000000304B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000010.00000002.3774758497.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe

Code function: 26_2_6A8AAAA1 cpuid

26_2_6A8AAAA1

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe	Queries volume information: C:\Users\user\AppData\Local_wGRdnhmmy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPIMV.tmp\LocalwCRkvqzBqW.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Crashes.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Analytics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.batteries_v2.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.core.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.provider.dynamic_cdecl.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\System.Memory.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.RuntimeInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.RuntimeInformation.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\System.Runtime.CompilerServices.Unsafe.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\DiscordRPC.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Octokit.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\CommonMark.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\HtmlRenderer.WinForms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\HtmlRenderer.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Crashes.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Analytics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\CommonMark.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\System.Threading.Tasks.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Octokit.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\uk\CustomRP.resources.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8HC4K.tmp\CustomRP.1.17.26.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Crashes.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Microsoft.AppCenter.Analytics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.batteries_v2.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.core.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\SQLitePCLRaw.provider.dynamic_cdecl.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\System.Memory.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.RuntimeInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.RuntimeInformation.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\System.Runtime.CompilerServices.Unsafe.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\DiscordRPC.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\Octokit.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Queries volume information: C:\Users\user\AppData\Roaming\CustomRP\CommonMark.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe VolumeInformation

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe

Code function: 26_2_6A8AAFE3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

26_2_6A8AAFE3

Source: C:\Users\user\AppData\Local_wGRdnhmmy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: LisectAVT_2403002A_473.exe, type: SAMPLE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3774758497.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_473.exe PID: 5604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LocalM_d_cKXRrV.exe PID: 4932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\server.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: LisectAVT_2403002A_473.exe, type: SAMPLE
Source: Yara match	File source: 8.0.Local_wGRdnhmmy.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LocalylmNBbjoFA.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f220f.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.1281627960.00000000003C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1293177261.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3771976186.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1266635863.0000000000215000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1281399824.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1256648440.0000000000206000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LocalylmNBbjoFA.exe PID: 6520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Local_wGRdnhmmy.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local_wGRdnhmmy.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\LocalylmNBbjoFA.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: LisectAVT_2403002A_473.exe, type: SAMPLE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.2e3c5c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.84b214.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.LocalM_d_cKXRrV.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1280963638.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1256648440.000000000084B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3774758497.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1264112585.00000000005C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_473.exe PID: 5604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LocalM_d_cKXRrV.exe PID: 4932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 7316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\LocalM_d_cKXRrV.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\server.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: LisectAVT_2403002A_473.exe, type: SAMPLE
Source: Yara match	File source: 8.0.Local_wGRdnhmmy.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.8353e7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LocalylmNBbjoFA.exe.8441d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_473.exe.1344c248.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.LocalylmNBbjoFA.exe.2f1c470.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LocalylmNBbjoFA.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_473.exe.1f220f.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.1281627960.00000000003C2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1293177261.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3771976186.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1266635863.0000000000215000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1281399824.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1256648440.0000000000206000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LocalylmNBbjoFA.exe PID: 6520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Local_wGRdnhmmy.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Local_wGRdnhmmy.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local_wGRdnhmmy.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\LocalylmNBbjoFA.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7FDA30 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_value_blob,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_initialize,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_initialize,sqlite3_free,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_bind_int64,sqlite3_thread_cleanup,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7FDA30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A859A00 sqlite3_value_int64,sqlite3_bind_value,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A859A00
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7FCAE0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	26_2_6A7FCAE0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7FBAD0 sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7FBAD0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A801A30 sqlite3_mprintf,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	26_2_6A801A30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7BAA90 sqlite3_value_int64,sqlite3_value_int64,sqlite3_value_int,sqlite3_initialize,sqlite3_free,sqlite3_blob_close,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	26_2_6A7BAA90
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A824B80 sqlite3_bind_int64,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,	26_2_6A824B80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A859BA0 sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A859BA0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A832B40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_free,sqlite3_free,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A832B40
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F8870 sqlite3_bind_int64,sqlite3_step,sqlite3_initialize,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_free,	26_2_6A7F8870
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7EB880 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	26_2_6A7EB880
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F0910 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_value_blob,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7F0910
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7CA9E0 sqlite3_transfer_bindings,	26_2_6A7CA9E0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A816970 sqlite3_mprintf,sqlite3_free,sqlite3_bind_int64,sqlite3_thread_cleanup,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,	26_2_6A816970
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7C8E60 sqlite3_bind_blob,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7C8E60
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A859EA0 sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_value_blob,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A859EA0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7CAE30 sqlite3_value_frombind,	26_2_6A7CAE30
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F2E20 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7F2E20
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A812EF0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,	26_2_6A812EF0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A852E40 sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A852E40
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A816F80 sqlite3_mprintf,sqlite3_free,sqlite3_free,sqlite3_bind_int64,	26_2_6A816F80
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7EBF50 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7EBF50
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F0F50 sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_value_blob,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7F0F50
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7C8F10 sqlite3_bind_blob64,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7C8F10
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7C8FC0 sqlite3_bind_double,sqlite3_thread_cleanup,	26_2_6A7C8FC0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A801F60 sqlite3_mprintf,sqlite3_free,sqlite3_bind_int64,sqlite3_thread_cleanup,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,	26_2_6A801F60
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A814F60 sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_free,sqlite3_bind_int64,sqlite3_thread_cleanup,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,sqlite3_free,sqlite3_free,sqlite3_free,	26_2_6A814F60
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A853CB0 sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A853CB0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A816CF0 sqlite3_thread_cleanup,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,	26_2_6A816CF0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7EBD10 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7EBD10
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A831D60 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	26_2_6A831D60
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7C9230 sqlite3_bind_text16,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7C9230
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F1230 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,	26_2_6A7F1230
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7BD200 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	26_2_6A7BD200
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7F52C0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_mprintf,sqlite3_free,sqlite3_step,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_log,sqlite3_log,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	26_2_6A7F52C0
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A82D260 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	26_2_6A82D260
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7C9360 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,sqlite3_bind_blob,sqlite3_thread_cleanup,	26_2_6A7C9360
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7C9310 sqlite3_bind_text64,	26_2_6A7C9310
Source: C:\Users\user\AppData\Roaming\CustomRP\CustomRP.exe	Code function: 26_2_6A7FF390 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_free,sqlite3_bind_text,sqlite3_thread_cleanup,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,	26_2_6A7FF390

Windows Analysis Report
LisectAVT_2403002A_473.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1482220
Product:	CloudBasic
Start time:	19:43:46
Start date:	25.07.2024
Sample:	LisectAVT_2403002A_473.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f256345478d00e975e7c0987fa05f63e
SHA1:	005b5c18852675ced842632957199d6d47128ade
SHA256:	3d72496f46a130331bc6e35d4211c7a9d6c31770affba0f99ebbe6abf6cd42d2
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.69%

Windows Analysis Report LisectAVT_2403002A_473.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
LisectAVT_2403002A_473.exe

Malware Threat Intel
Provided by